HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | - PowerPoint PPT Presentation

HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020

AGENDA Authentication Authorization Federation GRAPHQL SUMMIT 2020

AUTH AUTHENTICATION AUTHORIZATION YOU ARE WHO YOU SAY YOU ARE YOU CAN DO WHAT YOU WANT TO DO

AUTHENTICATION: YOU ARE WHO YOU SAY YOU ARE

STARTING POINT We don’t want to lockdown our entire GraphQL endpoint We’re going to use JSON Web Tokens for auth We’ll use Express with Apollo Server GRAPHQL SUMMIT 2020

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsI jp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJt aXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJ pYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOT A2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1Jaxw DTlnofa3hwpS0PGdRLUMIrC7M3FCI

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsI jp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJt aXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJ pYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOT A2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1Jaxw DTlnofa3hwpS0PGdRLUMIrC7M3FCI

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsI jp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJt aXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJ pYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOT A2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1Jaxw DTlnofa3hwpS0PGdRLUMIrC7M3FCI

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsI jp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJt aXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJ pYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOT A2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1Jaxw DTlnofa3hwpS0PGdRLUMIrC7M3FCI

DEMO TIME…

AUTHORIZATION: YOU CAN DO WHAT YOU WANT TO DO

A FEW OPTIONS Handle auth logic directly in each resolver function GRAPHQL SUMMIT 2020

A FEW OPTIONS Handle auth logic directly in each resolver function Create custom directives (e.g. @auth(requires: DIRECTOR) ) Wrap resolver functions (e.g. GraphQL Auth) Abstract auth rules into middleware (e.g. GraphQL Shield) GRAPHQL SUMMIT 2020

NOW DO FEDERATION

SUMMING UP Handle incoming tokens in the context A viewer query can be an entry point for authenticated users Keep explicit authorization checks out of resolver functions Forward header from gateway API using buildService GRAPHQL SUMMIT 2020

SHOW ME THE CODE! https://github.com/mandiwise/basic-apollo-auth-demo https://github.com/mandiwise/apollo-federation-auth-demo https://github.com/mandiwise/graphql-magic-auth-demo GRAPHQL SUMMIT 2020

THANKS! TWITTER & GITHUB: @MANDIWISE