Authentication & Authorization in GraphQL

Slide 1

Slide 1 text

AUTHENTICATION & AUTHORIZATION in GraphQL PROSPER OTEMUYIWA | BuzzJS NYC 2018

Slide 2

Slide 2 text

2 A LITTLE ABOUT ME! BuzzJS NYC 2018

Slide 3

Slide 3 text

LAGOS, NIGERIA 3 HOME CITIZEN & RESIDENT OF

Slide 4

Slide 4 text

PRINCIPAL JOLLOF RICE ADVOCATE 4 A NIGERIAN MOUTH-WATERING DELICACY. TRY IT TODAY!

Slide 5

Slide 5 text

COMMUNITY DEVELOPER ADVOCATE 5 forloop Africa Laravel Nigeria Angular Nigeria

Slide 6

Slide 6 text

OPEN SOURCE ENGINEER / DEVELOPER ADVOCATE 6 @unicodeveloper

Slide 7

Slide 7 text

7 Look at all the data! Where do I start from? BuzzJS NYC 2018

Slide 8

Slide 8 text

How many clients will consume this data? 8 BuzzJS NYC 2018

Slide 9

Slide 9 text

9 BuzzJS NYC 2018

Slide 10

Slide 10 text

What’s an effective way to fetch this data? 10 REST BuzzJS NYC 2018

Slide 11

Slide 11 text

11 REST is great but... ▰ ▰ ▰ ▰ BuzzJS NYC 2018

Slide 12

Slide 12 text

How do we fetch data effectively & fast? 12 Okay Prosper, what will save us? BuzzJS NYC 2018

Slide 13

Slide 13 text

13 BuzzJS NYC 2018 Source: https://goo.gl/AvC3Yg

Slide 14

Slide 14 text

What’s GraphQL? 14 ▰ ▰ ▰ BuzzJS NYC 2018

Slide 15

Slide 15 text

15 BuzzJS NYC 2018 Build a Schema on the Server

Slide 16

Slide 16 text

16 BuzzJS NYC 2018 Construct a query on the client to fetch data Fetch whatever data you want at once!

Slide 17

Slide 17 text

17 Data sent back to the Client BuzzJS NYC 2018

Slide 18

Slide 18 text

18 BuzzJS NYC 2018 GraphQL Playground: Query your Schemas

Slide 19

Slide 19 text

“ 19 19

Slide 20

Slide 20 text

Build the Schema & GraphQL Server with Apollo Server 20

Slide 21

Slide 21 text

Build the Schema & GraphQL Server 21 apollographql.com/docs/apollo-server/v2

Slide 22

Slide 22 text

“ 22 22

Slide 23

Slide 23 text

Data Fetching With Apollo Client 23 Fetch data declaratively

Slide 24

Slide 24 text

State Management with Apollo Link State 24

Slide 25

Slide 25 text

Manage local State 25 Request for local data with @client directive github.com/apollographql/apollo-link-state

Slide 26

Slide 26 text

Use the Client to query efficiently 26 apollographql.com/docs/react

Slide 27

Slide 27 text

“ 27 27

Slide 28

Slide 28 text

APOLLO ENGINE - New Relic for GraphQL 28

Slide 29

Slide 29 text

APOLLO ENGINE - QUERY & SCHEMA ANALYSIS 29

Slide 30

Slide 30 text

30 APOLLO ENGINE apollographql.com/engine apollographql.com/docs/engine

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Authentication & Authorization 32 BuzzJS NYC 2018

Slide 33

Slide 33 text

AUTHENTICATION & AUTHORIZATION 33 ...DIFFERENT WAYS OF GOING ABOUT THIS!

Slide 34

Slide 34 text

34 Typical REST API authentication middleware

Slide 35

Slide 35 text

AUTHENTICATION & AUTHORIZATION 35 ...how can we achieve this in GraphQL?

Slide 36

Slide 36 text

GENERAL: BUILD THE CONTEXT OBJECT 36 ..build the context object with info from the request headers.

Slide 37

Slide 37 text

37 ...now we have context.user

Slide 38

Slide 38 text

Context Object? Oh Yeah! 38 The context object is passed to every single resolver at every level.

Slide 39

Slide 39 text

Resolver Level Auth. 39 1

Slide 40

Slide 40 text

Resolver Level Auth. 40 Resolvers have the ability to check user roles or scopes and make authorization decisions.

Slide 41

Slide 41 text

41 ...Allow access for this particular user

Slide 42

Slide 42 text

Resolver Level Auth. Repetitive? 42 ...the approach is great but imagine doing this check for every resolver. Ah!

Slide 43

Slide 43 text

Resolver Level Auth. Abstract the code. 43 Write once, call it anywhere & everywhere.

Slide 44

Slide 44 text

Slide 45

Slide 45 text

▰ ▰ ▰ ▰ Apollo Server 2.0 RC

Slide 46

Slide 46 text

More Info on Error Handling: apollographql.com/docs/apollo-server/v2/feat ures/errors.html

Slide 47

Slide 47 text

Auth. Delegation to Models 47 2

Slide 48

Slide 48 text

Recommendation 48 Clog your resolvers with data fetching and mutation logic. Move them to Models.

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Recommendation 50 Go ahead and perform the authorization inside the Model.

Slide 51

Slide 51 text

Slide 52

Slide 52 text

Auth via Custom Directives 52 3

Slide 53

Slide 53 text

Custom Directives 53 Custom directives can be used for a lot of things: auth, error tracking, translation, etc

Slide 54

Slide 54 text

Custom Directives for Auth 54

Slide 55

Slide 55 text

Custom Directives for Auth 55 apollographql.com/docs/graphql-tools/ schema-directives.html Implementation detail is a little bit complex, but more details can be found in the link below.

Slide 56

Slide 56 text

Auth. outside GraphQL 56 4

Slide 57

Slide 57 text

Auth. outside GraphQL 57 If your REST API already has authorization baked in, why bother implementing on the GraphQL level?

Slide 58

Slide 58 text

58 ...pass the request header, then….

Slide 59

Slide 59 text

59 …then pass the header to the model method.

Slide 60

Slide 60 text

GraphQL for the next Billion Users 60 BuzzJS NYC 2018

Slide 61

Slide 61 text

GraphQL for the next Billion Users 61 GraphQL on the Edge

Slide 62

Slide 62 text

62 ▰ ▰ ▰

Slide 63

Slide 63 text

GraphQL for the next Billion Users 63 Sign up for Early Access: apollographql.com/edge

Slide 64

Slide 64 text

More Information on Auth. 64 GraphQL & Apollo: apollographql.com/docs JWT Book: auth0.com/resources/ebooks/jwt-handbook Authentication & Authorization: auth0.com/blog

Slide 65

Slide 65 text

65 THANKS! Any questions? BuzzJS NYC 2018