[andrewingram]

My question was essentially for both expansions of auth. Because as far as I'm concerned, as long as your API layer provides some means of determining user identity, everything else related to auth should be the responsibility of lower layers. It was largely a rhetorical question, because people have been asking for GraphQL to solve non-GraphQL problems since 2015.

[pas]

Do you mean HTTP as the lower layer? I can see authentication (or better said session persistence) handled by a HTTP header, but I don't really see how HTTP by default provides options for what mutations and queries the client should be able to issue. There's no ACL descriptor for GraphQL.

And even the choice of HTTP header for Authentication is debated enough, that I think it should have been bolted down in the GQL specs.