$30 off During Our Annual Pro Sale. View Details »

Authentication & Authorization in GraphQL

Authentication & Authorization in GraphQL

- GraphQL Overview
- GraphQL Tooling with Apollo
- Authentication & Authorization in GraphQL
- GraphQL for the next billion users

Otemuyiwa Prosper

June 15, 2018
Tweet

More Decks by Otemuyiwa Prosper

Other Decks in Programming

Transcript

  1. AUTHENTICATION &
    AUTHORIZATION in GraphQL
    PROSPER OTEMUYIWA | BuzzJS NYC 2018

    View Slide

  2. 2
    A LITTLE ABOUT ME!
    BuzzJS NYC 2018

    View Slide

  3. LAGOS, NIGERIA
    3
    HOME
    CITIZEN & RESIDENT OF

    View Slide

  4. PRINCIPAL JOLLOF RICE ADVOCATE
    4
    A NIGERIAN MOUTH-WATERING DELICACY. TRY IT TODAY!

    View Slide

  5. COMMUNITY DEVELOPER ADVOCATE
    5
    forloop Africa
    Laravel Nigeria
    Angular Nigeria

    View Slide

  6. OPEN SOURCE ENGINEER / DEVELOPER ADVOCATE
    6
    @unicodeveloper

    View Slide

  7. 7
    Look at all the data!
    Where do I start from?
    BuzzJS NYC 2018

    View Slide

  8. How many clients will consume this data?
    8
    BuzzJS NYC 2018

    View Slide

  9. 9
    BuzzJS NYC 2018

    View Slide

  10. What’s an effective way to fetch this data?
    10
    REST
    BuzzJS NYC 2018

    View Slide

  11. 11
    REST is great but...




    BuzzJS NYC 2018

    View Slide

  12. How do we fetch data effectively & fast?
    12
    Okay Prosper, what will save us?
    BuzzJS NYC 2018

    View Slide

  13. 13
    BuzzJS NYC 2018
    Source: https://goo.gl/AvC3Yg

    View Slide

  14. What’s GraphQL?
    14



    BuzzJS NYC 2018

    View Slide

  15. 15
    BuzzJS NYC 2018 Build a Schema on the Server

    View Slide

  16. 16
    BuzzJS NYC 2018 Construct a query on the client to fetch data
    Fetch whatever
    data you want at
    once!

    View Slide

  17. 17
    Data sent back to the Client
    BuzzJS NYC 2018

    View Slide

  18. 18
    BuzzJS NYC 2018
    GraphQL Playground: Query your Schemas

    View Slide


  19. 19
    19

    View Slide

  20. Build the Schema & GraphQL Server with Apollo Server
    20

    View Slide

  21. Build the Schema & GraphQL Server
    21
    apollographql.com/docs/apollo-server/v2

    View Slide


  22. 22
    22

    View Slide

  23. Data Fetching With Apollo Client
    23
    Fetch data
    declaratively

    View Slide

  24. State Management with Apollo Link State
    24

    View Slide

  25. Manage local State
    25
    Request for
    local data with
    @client directive
    github.com/apollographql/apollo-link-state

    View Slide

  26. Use the Client to query efficiently
    26
    apollographql.com/docs/react

    View Slide


  27. 27
    27

    View Slide

  28. APOLLO ENGINE - New Relic for GraphQL
    28

    View Slide

  29. APOLLO ENGINE - QUERY & SCHEMA ANALYSIS
    29

    View Slide

  30. 30
    APOLLO ENGINE
    apollographql.com/engine
    apollographql.com/docs/engine

    View Slide

  31. 31

    View Slide

  32. Authentication &
    Authorization
    32
    BuzzJS NYC 2018

    View Slide

  33. AUTHENTICATION & AUTHORIZATION
    33
    ...DIFFERENT WAYS OF
    GOING ABOUT THIS!

    View Slide

  34. 34
    Typical REST API authentication middleware

    View Slide

  35. AUTHENTICATION & AUTHORIZATION
    35
    ...how can we achieve this in
    GraphQL?

    View Slide

  36. GENERAL: BUILD THE CONTEXT OBJECT
    36
    ..build the context object with
    info from the request
    headers.

    View Slide

  37. 37
    ...now we have context.user

    View Slide

  38. Context Object? Oh Yeah!
    38
    The context object is passed
    to every single resolver at
    every level.

    View Slide

  39. Resolver Level Auth.
    39
    1

    View Slide

  40. Resolver Level Auth.
    40
    Resolvers have the ability to check user roles
    or scopes and make authorization decisions.

    View Slide

  41. 41
    ...Allow access for this particular user

    View Slide

  42. Resolver Level Auth. Repetitive?
    42
    ...the approach is great but imagine doing this
    check for every resolver. Ah!

    View Slide

  43. Resolver Level Auth. Abstract the code.
    43
    Write once, call it anywhere & everywhere.

    View Slide

  44. 44

    View Slide





  45. Apollo Server 2.0 RC

    View Slide

  46. More Info on Error Handling:
    apollographql.com/docs/apollo-server/v2/feat
    ures/errors.html

    View Slide

  47. Auth. Delegation to Models
    47
    2

    View Slide

  48. Recommendation
    48
    Clog your resolvers with data fetching
    and mutation logic.
    Move them to Models.

    View Slide

  49. 49

    View Slide

  50. Recommendation
    50
    Go ahead and perform the
    authorization inside the Model.

    View Slide

  51. 51

    View Slide

  52. Auth via Custom Directives
    52
    3

    View Slide

  53. Custom Directives
    53
    Custom directives can be used for a lot of
    things: auth, error tracking, translation, etc

    View Slide

  54. Custom Directives for Auth
    54

    View Slide

  55. Custom Directives for Auth
    55
    apollographql.com/docs/graphql-tools/
    schema-directives.html
    Implementation detail is a little bit complex, but more details
    can be found in the link below.

    View Slide

  56. Auth. outside GraphQL
    56
    4

    View Slide

  57. Auth. outside GraphQL
    57
    If your REST API already has
    authorization baked in, why bother
    implementing on the GraphQL level?

    View Slide

  58. 58
    ...pass the request header, then….

    View Slide

  59. 59
    …then pass the header to the model method.

    View Slide

  60. GraphQL for the
    next Billion Users
    60
    BuzzJS NYC 2018

    View Slide

  61. GraphQL for the next Billion Users
    61
    GraphQL on the Edge

    View Slide

  62. 62



    View Slide

  63. GraphQL for the next Billion Users
    63
    Sign up for Early Access:
    apollographql.com/edge

    View Slide

  64. More Information on Auth.
    64
    GraphQL & Apollo:
    apollographql.com/docs
    JWT Book:
    auth0.com/resources/ebooks/jwt-handbook
    Authentication & Authorization:
    auth0.com/blog

    View Slide

  65. 65
    THANKS!
    Any questions?
    BuzzJS NYC 2018

    View Slide