- GraphQL Overview - GraphQL Tooling with Apollo - Authentication & Authorization in GraphQL - GraphQL for the next billion users
AUTHENTICATION &AUTHORIZATION in GraphQLPROSPER OTEMUYIWA | BuzzJS NYC 2018
View Slide
2A LITTLE ABOUT ME!BuzzJS NYC 2018
LAGOS, NIGERIA3HOMECITIZEN & RESIDENT OF
PRINCIPAL JOLLOF RICE ADVOCATE4A NIGERIAN MOUTH-WATERING DELICACY. TRY IT TODAY!
COMMUNITY DEVELOPER ADVOCATE5forloop AfricaLaravel NigeriaAngular Nigeria
OPEN SOURCE ENGINEER / DEVELOPER ADVOCATE6@unicodeveloper
7Look at all the data!Where do I start from?BuzzJS NYC 2018
How many clients will consume this data?8BuzzJS NYC 2018
9BuzzJS NYC 2018
What’s an effective way to fetch this data?10RESTBuzzJS NYC 2018
11REST is great but...▰▰▰▰BuzzJS NYC 2018
How do we fetch data effectively & fast?12Okay Prosper, what will save us?BuzzJS NYC 2018
13BuzzJS NYC 2018Source: https://goo.gl/AvC3Yg
What’s GraphQL?14▰▰▰BuzzJS NYC 2018
15BuzzJS NYC 2018 Build a Schema on the Server
16BuzzJS NYC 2018 Construct a query on the client to fetch dataFetch whateverdata you want atonce!
17Data sent back to the ClientBuzzJS NYC 2018
18BuzzJS NYC 2018GraphQL Playground: Query your Schemas
“1919
Build the Schema & GraphQL Server with Apollo Server20
Build the Schema & GraphQL Server21apollographql.com/docs/apollo-server/v2
“2222
Data Fetching With Apollo Client23Fetch datadeclaratively
State Management with Apollo Link State24
Manage local State25Request forlocal data with@client directivegithub.com/apollographql/apollo-link-state
Use the Client to query efficiently26apollographql.com/docs/react
“2727
APOLLO ENGINE - New Relic for GraphQL28
APOLLO ENGINE - QUERY & SCHEMA ANALYSIS29
30APOLLO ENGINEapollographql.com/engineapollographql.com/docs/engine
31
Authentication &Authorization32BuzzJS NYC 2018
AUTHENTICATION & AUTHORIZATION33...DIFFERENT WAYS OFGOING ABOUT THIS!
34Typical REST API authentication middleware
AUTHENTICATION & AUTHORIZATION35...how can we achieve this inGraphQL?
GENERAL: BUILD THE CONTEXT OBJECT36..build the context object withinfo from the requestheaders.
37...now we have context.user
Context Object? Oh Yeah!38The context object is passedto every single resolver atevery level.
Resolver Level Auth.391
Resolver Level Auth.40Resolvers have the ability to check user rolesor scopes and make authorization decisions.
41...Allow access for this particular user
Resolver Level Auth. Repetitive?42...the approach is great but imagine doing thischeck for every resolver. Ah!
Resolver Level Auth. Abstract the code.43Write once, call it anywhere & everywhere.
44
▰▰▰▰Apollo Server 2.0 RC
More Info on Error Handling:apollographql.com/docs/apollo-server/v2/features/errors.html
Auth. Delegation to Models472
Recommendation48Clog your resolvers with data fetchingand mutation logic.Move them to Models.
49
Recommendation50Go ahead and perform theauthorization inside the Model.
51
Auth via Custom Directives523
Custom Directives53Custom directives can be used for a lot ofthings: auth, error tracking, translation, etc
Custom Directives for Auth54
Custom Directives for Auth55apollographql.com/docs/graphql-tools/schema-directives.htmlImplementation detail is a little bit complex, but more detailscan be found in the link below.
Auth. outside GraphQL564
Auth. outside GraphQL57If your REST API already hasauthorization baked in, why botherimplementing on the GraphQL level?
58...pass the request header, then….
59…then pass the header to the model method.
GraphQL for thenext Billion Users60BuzzJS NYC 2018
GraphQL for the next Billion Users61GraphQL on the Edge
62▰▰▰
GraphQL for the next Billion Users63Sign up for Early Access:apollographql.com/edge
More Information on Auth.64GraphQL & Apollo:apollographql.com/docsJWT Book:auth0.com/resources/ebooks/jwt-handbookAuthentication & Authorization:auth0.com/blog
65THANKS!Any questions?BuzzJS NYC 2018