►
Description
On today's stream we looked at protecting GraphQL with OAuth2. There are lots of interesting use-cases to consider here, such as how the documentation viewer gets the necessary OAuth2 tokens
A weekly stream focused on Insomnia's open source community.
Join us on the #stream channel over on the Insomnia community slack: https://chat.insomnia.rest
A
A
A
B
A
B
B
So
if
anyone's
freaked
out
by
that
it's
pretty
common
in
the
states
in
these
months
of
the
years
or
at
least
where
I
am
in
the
states
every
once
in
a
while,
a
bat
will
sneak
through
you
know
you
open
it.
You
walk
into
your
house
and
open
a
door
at
night
or
something
and
they'll
come
right
in
but
yeah,
that's
that's
the
thing.
That's
on
my
mind.
There's
it's
not
in
this
room,
though
so
we'll
find
it
they're
pretty
harmless
creatures.
B
But
you
know
that's
that's
something
I
gotta
deal
with
later
today:
you're
gonna
catch
it
yourself,
yeah,
I'm
gonna,
do
the
oven
mit
technique
in
a
in
a
cardboard
box
so
I'll
just
like
they
really
hate
the
light
it's
like.
B
If
it's
a
bird
you
make
it
dark
because
they
can't
really
see
well
in
the
dark,
but
if
it's
a
bat
you
make
it
bright
because
they
can't
really
do
that
and
then
I
just
like,
like
a
plastic
bag,
doesn't
work
as
well,
because
it's
kind
of
hard
to
like
get
them
through
the
hole.
B
But
if
you
have
like
a
cardboard
big
cardboard
box
and
you
just
like
set
it
over
them
and
then
you
slip
something
underneath
you
can
take
that
outside
and
just
let
them
go
and
they
usually
know
what
to
do
next.
Bats
are
really
beneficial,
though
they
get
rid
of
they
eat,
tons
and
tons
of
mosquitoes.
Some
birds
like
purple,
martins
and
barn,
swallows
eat
mosquitoes,
but
none
so
many
as
a
bat.
I
think
so.
I
kind
of
like
having
bats
around
personally
yeah.
B
Okay
anyway,
rohinton
did
I
say
it
right
yeah.
You
did
how's
it
going.
A
Just
I
like
I'm
like
special
k,
because
we
get
this
special
cake
with
strawberries
in
it.
Oh.
B
A
B
A
Yeah
yeah,
I'm
okay,
how's
life,
treating
you
there
insomnia
land
good,
very
well,.
B
Cool
we've
been
so
so
chris,
I
should
say
chris
is
kind
of
both
old
and
and
new.
Member
of
the
team
he's
been
working
with
us
for
a
little
while,
but
he's
now
he's
working
in
more
of
an
engineering
context.
So
we've
been
super
super
excited
about
that
and
he's
already
brought
quite
a
few
nice
improvements
to
the
team
so
into
the
project.
So
we're
super
happy
to
have
you
on
board.
Chris,
all
right.
B
Let's
get
let's
get
cracking
let's.
What
do
they
say?
Let's
crack
on
is
that
is
that
right,
that's
correct!
Okay!
Okay,
thank
you!
We
have
a
resident
brit
here
so
so
this
is
the
first.
So
what
I
did
so
insomnia
stream.
So,
okay,
I
need
to
put
this
up
sorry
for
the
usually
in
the
beginning.
I
try
to
add
this
to
the
screen
so
on
your
screen.
You're
gonna
see
chat.insomnia.rest.
B
If
you
want
to
join
us,
come
on
the
stream
or
you
want
to
just
watch,
you
can
do
that
or
comment
while
you're
watching
you
can
do
that
on
youtube
or
twitch.
B
Just
go
to
chat.insomnia.rest
and
everything
will
kind
of
take
you
to
the
next
place
from
there
you'll
that
from
there
you'll
join
our
insomnia
community
slack
and
then
from
there
you'll
join
the
stream
channel
or
you'll
see
it
on
the
general
channel.
We
always
post
every
week
to
the
general
channel,
so
you
don't
really
have
to
join
the
stream
channel
and
you
can
find
you
know
as
we're
streaming.
You
can
find
it
there
all
right.
So,
let's
throw
that
off
on
the
side.
B
So
what
I
did
is,
I
went
on
our
issues
here
before
right
before
the
stream,
and
I
saw
that
we
have
two
issues
that
we
had
tagged
with
this
insomnia
stream
tag
and,
let's
just
take
a
quick
look
at
them.
So
this
one
here
it
says
crash
when
attempting
to
authorize
user
with
oauth
2
implicit
flow
id
and
access
token.
Okay.
B
So,
let's
read
through
this
one,
so
insomnia
presents
me
with
a
pop-up
where
I'm
able
to
log
in
with
my
auth
provider:
okay,
so
right
away,
they're
talking
about
oauth,
right,
yeah,
oauth2
great,
and
then
it
says
it
crashes
after
displaying
the
pop-up
uh-oh.
When
was
this
april
6th
okay,
reproduction
steps
set
up
a
new
request
with
the
following
parameters:
oauth
implicit
options,
id
access,
token
click,
send
authentication,
pop-up
appears
and
assign
insomnia
crashes.
B
Okay.
This
is
pretty
bad.
Oh
okay,
I
didn't
have
we
talked
about
this
one
before
I
guess
we
have.
I
have
a
poor
memory.
I
suppose
insomnia
stops
suddenly,
okay,
so
this
person,
let's
skip
ahead
a
little
bit.
I
guess
we've
looked
at
this
and
it's
just
been
a
while
since
april
yeah.
Okay,
that
would
explain
it,
so
somebody
found
so
this
happens
sometimes
that
someone
will
run
into
a
crash
in
a
very
particular
situation,
try
to
find
reproduction
steps,
but
then
actually
the
we're
not
able
to
reproduce.
B
So
you
saw
here
that
I
tried
to
reproduce
this
and
was
unable,
and
somebody
else
commented
on
may
25th,
which
I
don't
think
I
have
seen
that
maybe
it's
a
duplicate
of
something
else.
So
let's
look
here
so
and
sonia
stops.
Suddenly
it
will
always
keep
running,
but
sometimes
I'm
reviewing
any
issue
and
when
I
return
the
software
it
breaks,
so
I
have
to
close
it
and
open
it
again.
Okay,
reproduction
steps
open
other
softwares.
I
don't
know
what
the
specific
trigger
is.
B
What
I
can
validate
is
that
recently
is
more
frequent
than
before
insomnia
breaks.
Well,
that's
not
does
he.
B
B
Okay,
I
found
the
error
today.
Okay,
when
I
kill
the
port
that
I
make
local
requests,
insomnia
stop
suddenly
run
rokl's
local
server
port
3000,
open
insomnia,
execute
any
request
with
insomnia
to
local
port
kill.
3000
insomnia
is
interrupted.
Okay,
let's,
let's
try
to
reproduce
that.
So
I
have
insomnia
open
here.
Let's
make
a
http
request
to
like
rockman.org
echo
and
let's
put
a
body
in
here
thing
one
and
then
we'll
do
thing
two
all
right.
B
Yes,
exactly
so
all
right,
so
then
I
have
that
going.
What
I
need
to
do
next
is:
let's
go
back
to
the
instructions
here,
so
we're
gonna
kill
port
3000.
So
I
think
I
might
be
able
to
remember
the
command
for
that.
I
think
it's
f
user.
B
Let's
look
here:
f
user
kill,
yeah
dash,
kill
and
then
okay,
so
f
user
put
it
on
the
side
here
and,
let's
see,
if
we
watch
insomnia
do
anything
when
when
this
happens
where's
the
devtools
are
they
gone?
I
don't
understand,
let's
put
them
underneath
maybe
yeah,
and
then
we
can
do
it
like
this
okay.
So,
let's
just
so,
we
can
watch
the
console.
B
Situational
blindness
there,
all
right
so
f
user
kill
and
I
think
it's
3
000
slash
tcp
is
the
is
this
in
tax?
Okay,
nothing
happened,
but
if
I
send
okay,
so
let's
look
at
the
logs
of
when
we
started
insomnia
to
make
sure.
Okay,
it's
not
three
thousand,
it's
three,
three,
three
four!
So
let's
try
again
with
three
three
three,
four,
three
four.
B
Let's,
let's
make
this
a
little
bigger,
so
you
can
see
always
trying
to
be
accommodating
to
people
reading
on
their
phones
later
or
watching
the
stream
later.
Okay,
so
response
succeeded
server
connection
lost
pulling
for
restart
killed.
B
So
this
is
because
electron.
If
we
go
up
and
read
higher
above
here
after
it
starts,
it
basically
will
run
it
will
host
the
sort
of
dev
side,
not
the
main,
the
app
thread
but
like
the
the
we
call
it
in
electron
land.
The
render
thread
render
situation
of
the
react
side.
Let's
just
say,
react
side:
okay,
it'll
run
the
react
side
on
this
port
and
if
I,
if
I
run
it
again,
I
did
a
hard
reset
before,
but
let's
do
run
app
start.
B
It's
still
going
to
be
on
3334.
I
have
it
over
here
it's
going
to
start.
So
what
I
want
to
know
is
if
this
is
a
different
port
in
production-
and
I
bet
you-
it
is,
I'm
pretty
sure
it's
port
3000-
because
that's
what
people
are
talking
about,
but
we
can
search
it
probably
fastest
by
looking
here.
Dev
server
port.
B
That's
in
the
package.json!
Oh
interesting!
Okay,
we
don't
want
okay
files
to
exclude
dot
svg.
Okay,
we
don't
want
that.
We
don't
want
those
okay,
so
dev
server,
dev
server
port.
B
So
let's
try
to
run
insomnia.
So
we
could.
We
could
demo
that
again,
let's
just
let's
just
kill
it
again.
Omnia
just
died
right
behind
me.
Okay,
so
let's
try
to
demo
with
production.
So
I'm
going
to
run.
Let's
grab
this,
I'm
going
to
pull
up
a
off
screen
here,
I'm
going
to
pull
up.
I
have
like
a
cache
of
insomnia,
betas
and
releases.
I
don't
have
the
most
recent
release
because
it
didn't
download
it
yet,
but
it
should
be
okay
there.
B
B
Yeah
yeah
I
have
to.
I
would
have
to
remember
how
first,
but
I.
B
Do
it,
okay,
wait
a
second,
I
think.
Maybe
we
can
do
it
from
the
system,
manager
or
system
monitor.
B
B
Build
localhost:
let's
look,
let's
look
here.
Okay,
I
have
an
idea.
I
have
an
idea,
let's,
let's
see
if
we
can
find
it
this
way,
so
I
can
look
at
the
devtools
and
don't
worry
about
those
errors.
Those
are
from
something
I
need
to
just
clear
that
that's
from
something
else
that
I've
been
testing,
so
I'm
going
to
refresh
the
page
here
window.
B
Well,
how
could
I
do
that?
I
want
to
close
it
and
open
it
with
the
dev
tools
open.
B
So
why
is
it
not
working
reload
plugins,
I'm
not
sure
how
to
how
to
reproduce
so
I
mean,
but
essentially
I
mean
we
did
confirm.
Okay,
let's,
let's
write
up
what
we
do
know,
or
maybe
we
see.
Okay,
that's
the
next
thing
we
could
do.
We
could
look
here
to
see
if
there's
any
hint
about
what
port
it
was
running
on
for
them.
Maybe
it's
randomized!
B
B
B
Let's,
let's
look!
Let's
look
that
up
so
that
config
insomnia,
dot
config
on
here.
B
Let's
do
this
insomnia,
okay,
logs
and
then
just
now,
renderer
log
four
minutes
ago.
So
let's
look
here,
let's
see
if
we
can
see
what
what
it
tells
us,
because
it's
actually
in
this
screenshot,
except
that
it's
not
in
the
screenshot,
because
it's
cut
off
this
one
right
here.
Well
anyway,
I'll
find
it.
But
where
is
it?
Where
did
it
open?
I
didn't
see
it
open,
wait!
A
second
wait.
A
tic
is
dot
log
open.
No,
it
opens
in
kate
what
oh
here
it
is
okay.
B
So
let's
see
oh
no,
okay,
it's
not
there!
So
that's
that
one!
Let's
look
at
this
one!
You
know
what,
let's
just
when
in
doubt
open
vs
code.
That's
that's
my
policy!
Okay!
So
let's
search
for
port
and
see
if
we
can
see
if
we
get
a
layout
here,
nope.
B
We'll
host
whoa
what
happened
died?
No,
it
didn't
die.
Okay,
sorry!
So,
let's,
let's
back
out
here
a
little
bit.
B
I'm
not
seeing
how
we
could
kill
it,
but
I
mean
what
we
confirmed.
So,
let's,
let's
write
up
what
we
know
and
see
what
see
see
if
that
has
any
effect,
because
what
could
be
happening
is
there's
a
there's,
a
report
that
insomnia
is
trying
to
use
that
another
program
is
kind
of
crashing
on.
So
we
just
took
another
look
at
this
on
the
insomnia
stream.
B
B
B
I'm
gonna
open
up
insomnia,
app
image.
Again,
it's
starting
somewhere,
give
it
a
second
there
we
go
so
then
I'm
gonna
say:
what's
the
command,
so
netstat
pnptcp,
all
right,
let's
see!
What's
here,
oh
nice,
chrome
and
then
we're
gonna
grab
insomnia,
nothing
yeah!
I
don't
think
so.
Look
at
all
this
chrome
insomnia!
Oh
it's
right!
There!
Okay,
all
right!
So
5,
nine,
two
one,
two:
okay,
so
f
user!
So,
okay,
we
have
insomnia
on
the
left,
so
I'm
gonna
make
this
a
little
bigger
about
as
big
as
we
can
go.
B
So
we
see
here
on
this
line.
It
would
be
local
addresses
in
support
five,
nine,
two
one:
two:
okay,
f
user.
B
Kill
five,
nine
two
one
two
tcp
did:
I
type
it
wrong.
Five,
nine
two
one
two.
B
Yeah,
that's
not
going
to
be
it.
Let's
run
that
netstat
again
and
see.
If
insomnia,
I
guess
it's
case
sensitive.
B
B
Still
working
so
doesn't
seem
to
be
that
that's
interesting
though
I
would
expect
it
to
like
definitely
crash
well
I'll.
Take
note
of
this
grab
the
port.
Okay,
five,
nine
two
one
two
is.
A
B
Well
received
send
yeah,
I
don't
know,
okay.
Well,
let's,
let's
finish
that
message
up.
So
we
said
that
that
is
the
case
until
we
know
more,
I'm
not
sure
what
we
can
do
going
forward.
B
B
So,
let's
just
let's
just
leave
it
at
that
okie
dokie
cool,
any
questions
about
any
of
that
before
we
move
on
to
the
next
thing,.
A
Yeah,
it
doesn't
seem
to
be
reproducible
all
along
pretty
well
awesome.
B
Yeah,
okay,
so
this
next
one
should
be
fun.
I
can
demo
how
to
do
oauth
and
I
should
be
taking
notes.
Actually,
you
know
I'm
trying
to
take
better
notes.
While
we
work
on
stuff
try
to
open
notepad.
What
am
I
thinking?
What
am
I
thinking
so?
The
first
thing
we
did
today
was
to
look
at
reproducing
a
bug
that
can
cause
to
crash.
B
Graphql
schema
documentation
doesn't
load
if
the
oauth
access
tag
is
used.
So
we're
going
to
try
we're,
probably
going
to
fail,
but
we're
going
to
try
to
to
update
our
to
do
to
put
make
a
graphql
request
behind
oauth.
B
It's
likely
not
going
to
really
work,
but
I
want
to
give
it
a
shot
so
I'll
see
why
I
don't
think
it's
going
to
work
exactly
so.
If
we
look
at
packages,
insomnia
smoke.
B
Smoke
test,
so
if
we
look
here,
you'll
see
that
we
have,
I
should
just
show
you
in.
I
don't
know
why
I'm
doing
that
smoke.
B
Okay,
so
what
we
can
do
is
we
can
run
this
dev
server
that
we
have
for
our
smoke
tests
and
when
we
do
that,
so
we're
going
to
say
serve
from
here,
so
we'll
say:
npm
run
serve
oops,
not
server
by
the
nature
of
the
fact
that
we
did
that
we're
going
to
get
these
guys
open
up
for
our
kind
of
local
use
and
oops.
I
hit
control
c.
I
heard
it
should
have
been
ctrl
shift
c.
B
B
What
we
have
in
our
project
is
we
have
a
bunch
of
a
bunch
of
pests
that
we
run
from
the
smoke
tests
and
I'm
gonna
look
for
one
now
smoke:
it's
not
in
the
smoke
test.
Folder!
Maybe
it
is,
I
think
it's
oauth
to
yaml
yeah.
Maybe
it's
this
one,
endpoint
security!
B
B
Where
is
it
oauth.yaml
fixtures?
Here
we
go
boom?
Okay,
so
I'm
going
to
copy
that
to
my
clipboard,
I'm
going
to
come
out
to
the
insomnia
like
project
dashboard.
I
can
delete
this
stuff.
I
never
need
this
stuff,
so
let's
just
make
it
simple,
I
can
do
create
from
clipboard
it's
going
to
put
my
oauth
testing
guide
here.
Let's
go
back
to
the
issue
and,
let's
make
sure
we're
doing
this
right
so
auth
to
authentication
via
author
token
tag.
B
So
let's
look
in
insomnia
to
see
if
we
can
do
id
token,
let's
I'm
going
to
make
it
a
tiny
bit
smaller.
Hopefully
that
works.
It
should
be
okay
cool.
So
if
I
send
this,
I'm
gonna
get
a
window
that
pops
up.
This
is
using
key
cloak.
I
think
I
can
put
anything
in
here.
I
just
happen
to
know:
that's
the
way
that
it's
configured
and
we
see
that
I'm
now
able
to
make
requests
and
get
my
token.
B
But
if
we
go
down
here
to
the
oauth
2
section
we'll
see
that
there's
some
information
here
about
refreshing
the
token
and
clearing
the
token
fetching
the
token
that
kind
of
thing
so
they're
saying
with
a
token
tag.
This
is
where
I
would.
Wills
is
usually
really
helpful
on
this,
so
id
and
access
token.
Let's,
let's
check
out
some
of
these
and
see
if
they
look.
B
Let's
read
fail
to
fetch
a
schema,
no
auth,
two
tokens
found
for
the
request.
Okay,
so
I
think
what's
going
on
here
is
when
I
make:
let's
make
a
graphql
request
and
let's
proxy,
let's
look
at
our
server
real
quick.
So
it's
a
server
index.ts.
B
So,
let's
do
graph
oops
graph
ql,
so
the
graphql
part
uses
slash
graphql,
but
it
doesn't
have
any
any
auth
stuff
built
in
so
the
open
id
like
notice
that
in
the
export
that
we
imported
or
whatever
we're
going
to
slash
oidc,
so
I
do
need
to
put
these
auth
routes.
I
do
need
to
include
the
graphql
stuff
in
the
author
outs,
so
I
think
I
want
to
put.
B
B
Let's
do
express.router,
so
this
is
not
an
express
router.
So,
let's,
let's
try
to
let's
try
to
paste
this
in
here
the
schema
is
going
to
have
to
come
from
graphql
and
the
root
thing
is
also
going
to
come
from
graphql.
Instead
of
that,
we
have
this
fql
http.
B
Okay,
so
no
errors.
It
says
that
the
routers
can
can
do
use.
So
what
I'm
expecting
that
is
going
to
happen?
Is
I'm
going
to
have
oi
slash,
oidc,
slash,
graphql?
Okay?
So
let's,
let's
grab
this
slash,
oidc
oops!
Let
go!
I
didn't
want
to
do
that.
But,
okay,
that's
fine!
Oitc
graphql!
B
Okay,
it
says
it's
working,
syntax
error.
Okay,
that's
kind
of
good
news,
so
failed
to
fetch
schema.
So
let's
put
it.
Let's
do
the
let's
do
a
graphql
query,
unexpected
end
of
file.
So
let's
see
if
we
can
see
what's
happening
here,
bad
request.
B
So
I'm
pretty
sure
to
do
this.
Well,
I
need
to
do
let's-
let's
duplicate,
let's
actually
duplicate
this.
Let's
duplicate
this
as
gql
we're
going
to
do
a
post
and
the
body
type
is
going
to
be
your
fql
query
and
let's
see
if
we
can
send
okay,
okay,
here's
what
happened
see
this!
Oh
sorry,
I
have
my
thing
again.
I
can
sign
in
there
oh
we're
going
to
say
graphql,
oops,
odc,
graphql,
syntax
error,
unexpected
and
a
file
okay.
Well,
maybe
that's
all
right.
B
So
let's
look
at
our
fixtures
and
let's
try
to
see
what
our
fixtures
are
sending
to
slash
graph
qls,
slash,
here's
a
here's,
an
example:
let's
see
if
we
can
find
a
really
simple
one.
Hopefully
this
is
a
really
simple
one.
B
Coming
up
next,
okay,
I
don't
know:
let's,
let's
get
this
second
one
here,
so
we're
gonna
grab
this
whole
thing.
We're
probably
gonna
need
to
to
unencode
it
if
that
makes
any
sense.
So.
B
Like
that,
and
then
we
could
even
do
yeah,
let's,
let's
see
if
this
works
to
put
it
here-
it's
not
gonna
work,
but
we
can.
We
can
probably
sneak
up
on
what
we're
trying
to
accomplish
by
doing
password.
We
don't
need
to
do
variables,
but
let's,
let's
see
if
we
can
switch
to
graphql
and
it
will
keep
it
current
body
will
be
lost.
Okay,
let's
do
it
by
hand.
So
query:
okay,
mutation,
so
here's
the
query
up
until
there
and
then
we
need
to
get
rid
of
these
things.
Oops.
B
B
Oh
boy,
just
the
the
place
all
with
we're
getting
real
dirty
now
into
the
weeds,
but
that's
okay,
repeat,
replace
all
what
did
I
do
wrong.
B
B
I
think
there's
probably
a
find
and
replace
this
is
in
code
mirror.
If
this
were
another
code
editor,
I
would
try
to
get
smart
with
it,
but
try
this.
Let's
see.
Okay
errors
variable
was
not
of
required
type
string.
B
Is
there
anything
other
than
login
user?
Okay,
because
I
don't
have
those
variables
well,
let's
see
what
they
are
they're
in
the
code
here
in
this
fixture,
but
it
would
just
be
really
nice
if
they
password.
B
Okay,
password
and
username,
okay,
good
enough
so
password
so,
okay,
query
variables:
password
is
password:
oops,
o-r-d,
yep,
exactly
and
username
username,
okay,.
B
B
It
looks
like
we
protected
this
behind
the
oauth
endpoint
because
it
is,
it
is
functioning
like
it
is
returning
the
errors
from
the
graphql
stuff,
which
it
would
never
do
if
it
was
getting
blocked
at
that
point.
Schema
is
not
configured
for
mutations,
so
then
we're
gonna,
like
query,
query
hello.
Let's
do
that
yeah
there
we
go.
Okay,
we
could
have
done
that
all
along
sorry
for
the
side
track.
B
So
what
we
see
here
is
that
we
are
able
to
do
oauth,
let's
clear
the
token,
let's
clear
it
completely
rather
clear,
send
yeah.
A
B
Mean
we're
able
to
let's,
let's
absolutely
clear
it
out
to
do
that.
We're
gonna
come
over
here
and
do
clear,
oauth
2
session,
clear
this
as
well
and
send
when
it
does
that
it
opens
up
a
new
thing
here,
like
I
said
I
can
put
anything
in
here
because
of
how
our
test
server
is
set
up
and
then
it
works.
B
B
All
right
then,
and
we
see
there's
a
response
timeline
here,
so
we
can
see
what
the
like,
what
the
return
is
for
the
response
section
insomnia
will
always
fail
to
load
the
schema
documentation.
It
doesn't
matter
if
the
token
has
been
refreshed
and
is
valid,
the
schema
documentation.
Loading
request
will
always
fail.
B
Oh
okay,
so
let's
look
at
that.
We
didn't
look
at
that
graphql.
So
let's
look
here
and
we're
going
to
look
at
this
show
documentation.
That's
not
our
experience
like
it
seems
to.
It
seems
to
really
what
is
this
lord
of
the
rings
stuff?
Oh
ring
error
ring
bearer.
This
is
really
funny
gandalf,
okay,
I
didn't
know
that
was
there.
So
what
we
learned
here
is
that
we
can
put
it
behind
oauth.
I'm
happy
that
I
thought
that
would
fail,
but
I'm
glad
that
it
didn't
an
error.
B
B
B
So
basically,
I
guess
we
have
not
looked
at
this
in
the
stream
before
so
great.
This
is
actually
really
cool
that
we
were
able
to
make
this
work.
In
fact,
I
almost
wanna-
I
almost
wanna
make
a
branch
for
this
just
for
this
like
little
change
that
we
did
because
ads
graph,
ql
behind
oidc,
endpoint,
okay,
so
oops
not
on
develop.
That
is
for
sure
good
thing.
I
didn't
push.
Let's
do
graph
ql,
okay,
feet
graph
ql
by
dc,
sorry
for
anyone
watching
at
home,
about
how
small
it
is.
B
There's
not
really
much
so
much.
We
can
do
about
that
since
skit
kraken.
Doesn't
it
has
like
a
pretty
small
maximum
zoom?
Maybe
I
should
report
that
to
them?
Okay,
so
yeah.
Basically,
that's
the
that's
the
situation,
we're
able
to
debug
it
pretty
good,
actually,
okay,
so
we
were
able,
by
making
note
that
the
path.
B
B
We're
able
to
debug
this
as
far
as
we
are
aware,
let's
see.
B
A
B
B
B
Okay,
great,
so
that's
really
really
cool
and
I
hope
that
we
might
want
to
do
something
with
this.
Oh,
I
didn't
mention
the
branch.
Okay.
I
should
push
it
somewhere,
so
let
me
push
it
nope.
I
don't
want
to
push
develop.
I
want
to
push
this
whoo
go
slow,
dimitri,
go
slow!
All
right!
Oh
no!
We
don't
do
a
pull
request,
that's
just
a
habit!
So
if
I
go
to
here,
I
should
get
a
url
for
this.
B
B
It
it's
much
easier
to
protect
the
graphql
endpoint
with
oidc,
with
our
test
server.
A
B
B
B
B
Okay,
so
sorry
that
this
is
kind
of
a
lot
of
typing
today,
usually
we
try
to
have
like
less
less
on-screen
typing,
but
this
is
pretty
valuable
stuff,
because
it's
come
up
a
lot.
In
fact,
what
we
might
do?
We
only
have
15
minutes
left.
What
we
might
do
is
go
look
at
another
issue
that
we
can
find
for
oidc
protected,
graphql
endpoints
and
see
if
we
can
reproduce
those,
because
that
would
be
really
helpful
and
so
small
too.
B
B
All
right,
if
it
makes
us
laugh
it's
worth
it
right,
that's
how
that
works
all
right.
So
let's
look
at
graphql,
so
I'm
going
to
search
here
so,
okay,
first
of
all,
let's
let's
go
back
and
take
off
the
stream
label
because
we
looked
at
it
about
as
thoroughly
as
we
could
or
would
on
the
stream
and
let's
do
graphql
and
oidc
and
see
what
comes
up.
B
Okay,
schema.
Oh,
is
this
one?
We
were
just
looking
at
yeah.
It
is
spectoid
one
closed.
What
was
this
one
multi-window
support?
No,
so
graphql
oauth.
B
B
It
looks
like
there's
a
bug
here.
I
managed
to
get
this
working
by
manually,
inserting
the
authorization
header,
but
it
seems
to
fail
when
the
auth
tube
token
placeholder
tag
is
used,
we'll
raise
a
bug
for
it,
oh,
but
he
didn't
link
back
to
the
bug.
Oh
so
that
seems
like
it's
similar
to
what
we
were
just
looking
at.
So,
let's
make
sure
to
link
these
up.
B
A
I
was
gonna
say:
isn't
that
the
tag
that
you'd
put
in
the
code
with
the
is
that
mustache
or
whatever
the
templating
thing.
B
B
Oh
my
question
like
so
okay.
So,
let's,
let's
just
back
up
a
second,
so
the
authorization
header
is
passed
on
the
on
the
request.
So,
let's
I
don't
know
if
we
still
have
our
server
running,
we
do
have
our
server
running,
so
we
can
see
here
authorization
bearer
and
then
it
has
all
that
stuff
that
comes
from
the
the
authorization
section
which
right
now
is
set
to
oauth
2..
B
B
I
don't
want
to
delete
this,
let's,
let's
like,
let's,
let's,
let's
duplicate
this
one
here,
it's
not
delete
duplicate.
That
thing
is
open
still.
Okay,
anyway,.
B
Okay,
so
if
I
come
over
here
to
mockman,
so
let's
let's
send
this
first
and
we're
gonna
see
that
we
look
at
the
timeline,
the
authorization
headers
there
but
or
echo.
If
we
try
to
echo
here,
what
we're
gonna
see
is
that
it
echoes
the
access
token.
B
B
No
refresh
token.
Oh
okay,
maybe
not
the
leaf
okay,
I
guess
that
makes
sense,
actually
so
yeah.
So
we
can
grab
these
things
and
pass
them
along
as
tags,
but
I
need
a
lot
more
information
about
like
exactly
how
to
reproduce
this,
because
it's
not
real.
I
mean,
let's
reread
one
more
time
because
we're
almost
out
of
time.
B
Like
basically,
okay
create
a
graphql
request
against
an
author
protected
graphql.
We
did
that
configure
the
authentication
for
the
request
make
sure
that
a
token
has
been
successfully
loaded.
We
did
that
set
the
authorization
header
of
the
request.
Request.
Author
token
access
tag.
Yes,
so
we
have
that's.
What's
we
don't
need
this
anymore?
B
Okay,
set
the
authorization
header
of
the
request
to
use
the
access
tag.
So
what
they're
saying
is
what
we've
done?
You
know
it's,
it's
setting
authorization
and
then
adding
the
thing,
but
I
wonder
if
they're,
using
the
tag,
syntax
header
of
the
request
or
they're
overriding
the
header,
I
think,
like
this
oauth
2
access
token,
it
doesn't
say
bearer
in
there,
make
the
graphql
request
and
confirm
that
it
works
correctly.
Okay,
it
does
work
correctly,
but
it
works
correctly
for
a
different
reason.
But
it's
fine.
B
B
Interesting
well
anyway,
because
the
authorization
open
that
it
sent
was
like
clearly
invalid.
So
maybe
we
did
something
wrong
on
that
step
and
that's
why
it's
working
for
us.
Oh,
go
back
to
the
graphql
body,
tab
click
schema
and
refresh
schema.
So,
let's
go
here,
schema
refresh
schema,
show
documentation,
it
works.
So,
okay,
maybe
we're
wrong
after
all,
and
have
philippe
will
take
a
look
at
this
when
he
sees
the
stream
and
he
sees
the
pr
he
I
think
he'll
should
be
able
to
help
with
this
so
observe
the
error.
B
Here's
the
bottom
of
the
tab
go
to
the
headers
tab
and
remove
the
oauth2
token
tag
paste
in
the
access
token
manually
go
back
and
refresh
the
schema
documentation
again.
This
time
the
schema
will
load
correctly
so
they're
saying
okay.
So
what
we
would
do
for
that
is.
We
would
come
here
and
we
would
so.
I
don't
understand
why
we're
doing
any
of
this
at
all.
Oauth
access,
token
they're,
saying
grab
this
this
whole
thingamajin
copy
it
and
we
copy
it.
B
Paste
it
in
manually
but
see
I
don't
trust
our
tests,
our
test
bench
anymore,
because
I'm
not
convinced
this
is
actually
working
like
we
thought
it
was.
I
mean
they
did
say
that
it
does
work
right.
It
works
correctly
up
to
that
point,
but
I
think
those
are
the
steps
that
they
went
through
where
they
they
took
the
you
know.
I
wish
you
could
change
the
anyway
change
the
width
of
these
columns.
So
they
did,
they
did
what
they
did.
B
Is
they
put
an
authorization
kind
of
header,
but
you
don't
need
to
do
that
if
you're
using
oauth
2,
because
if
you
look
in
the
timeline
you'll
see
that
it
adds
that
same
exact
thing.
So
it's
not
really
necessary.
I
mean
it's
not
necessary
at
all
and
in
fact
it
is
kind
of
going
to
be
a
problem,
because
when
you
do
the
schema
fetching
stuff,
it's
going
to
make
a
request
using
a
very
similar
flow.
But
now
I'm
concerned
that
it
doesn't
matter
at
all
like
if
we
did.
B
B
B
Yeah,
I
wonder
why
graphql
this
is
expressgraphql,
so
I
wonder
if
we
can
look
for.
B
Let's
look
at
this:
oh
idc,
oh
a
oauth,
open,
nope,
it's
not
showing
any
of
that
stuff.
So
let's
do
let's
do
it
this
way,
let's,
instead
of
use,
let's
do
get
and
it
would
be
post.
B
Actually,
let's
try
to
run
it
like
that
and
see
what
happens
just
for
kicks.
B
B
Handoff
yeah,
it
still
works
with
no
authorization,
so
it's
not
functioning.
So
I
can
probably
pull
this
guard
down.
Okey
dokey,
we'll
have
to
look
into
that,
and
figure
out
graphical
is
up
schema
root
value,
I'm
kind
of
confused.
Why.
B
B
We
only
have
a
minute
left
so
like,
let's,
let's
try
to
go
for
the
gopher
gold
here,
at
least
so
we
have
request
and
response.
Let's
just
grab
this.
We
have
requests
and
response.
We
have
this.
B
B
Addis,
let's
say
json:
it's
going
to
be
that
I
kind
of
like
really
how
this
is
going
to
work.
But
let's
just
try
it.
B
Okay,
so
we
should
see
this
fail
because
there's
no
authentication
missing
authorization-
header!
Okay,
that's
that's
good!
So
we
we
hit
that
first
block
of
code.
So
let's
go
here:
let's
we
bring
back
oauth
to
no
okay.
So
let's,
let's
do
id
token
duplicate.
Oh
we're
running
out
of
time,
gq
ql2
idco1
whatever!
So,
let's
grab
our
graphql
here
here
it's
going
to
be
it's
not
id
token!
It's
graph
ql
and
the
body
is
going
to
be
graphql
query
man
that
thing
stays
open
again.
B
Oh
and
I
have
a
thing:
okay,
a
a
invalid
client
credentials.
Let's
take
a
look
timeline:
it
sent
the
authorization
header.
So
let's
look
at
client
credentials.
Maybe
we
need
to
actually
log
into
this
again.
So
let's
try
this.
It
does
work
unauthorized,
whoa,
whoa,
whoa,
okay,
id
token.
Let's
do
this
again,
so
that
worked
id
and
access
token.
B
Oh,
that's
not
the
same
thing.
Oh,
I
keep
dragging
these
invalid
client
credentials.
So
if
we
look
at
our
code
we're
going
to
see
that
invalid
client
credentials
is
something
that
we
throw
intentionally
if
we
can't
find
the
the
token
in
the
client
credentials
so.
B
Yeah
I
mean
it's,
it's
there,
it's
doing
something:
let's
do,
let's
do
a
full
refresh
and
then
we
gotta
we
gotta
bow
out.
We
tried
so
let's
come
down
here
clear,
send
so
it's
gonna
ask
me
to
log
in
I'm
gonna.
Do
that
it's
gonna,
give
me
my
token
invalid
client
credentials
so
yeah
I
don't
know.
B
Maybe
that's
because
I
stole
that
from
the
client
credentials
endpoint
and
it
does
something
that
others
don't
really
need
to
do.
Interaction
get
yeah,
we'll
have
to
look
through
this
code
a
little
more
and
see
what
see
what
we
can
see.
I
could
try
to
could
try
to
do
that.
I
don't
know
if
that's
actually
valid,
though
we
are,
we
are
out
of
time
all
right.
B
Oh
it's
like
playing
a
civilization
or
something
you
know
it's
just
one
more,
just
one
more
try
one
more
attempt
here:
invalid
request:
okay,
anyway,
we're
making
a
mess.
Well,
everyone.
Thank
you
for
coming
to
the
insomnia
stream
today
and
it's
been,
it's
been
good.
I
think
it
was
fun
to
debug
graphql
protected
by
oidc.
B
We
definitely
need
to
spend
some
more
time
and
look
into
this,
because
there
is
a
little
bit
of
funniness
that
goes
on.
It's
ydc
are
special
because
they're,
the
only
kinds
of
requests
that
happen
like
in
addition
to
other
requests,
there's
like
an
oidc
token
request
that
occurs
and
then
then
your
actual
thing.
But
if
you
need
to
refresh
it,
then
it
sometimes
will
happen
but
other
times
if
it
doesn't
need
to
be
refreshed.
B
If
you
use
the
token,
you
already
had
it's
a
little
more
complicated
than
a
regular
stateless
http
call
it's
kind
of
in
between
something
like
grpc,
and
you
know,
websockets
that
are
stateful
protocols
and
something
like
http,
which
is
stateless,
so
something
something
to
to
think
about.
But
anyway,
thanks
for
coming,
everyone
and
we'll
see
you
next
time,
bye,
bye,.