Authentication & Authorization in GraphQL

Authentication & Authorization in GraphQL

- GraphQL Overview
- GraphQL Tooling with Apollo
- Authentication & Authorization in GraphQL
- GraphQL for the next billion users

1097492785caf9ffeebffeb624202d8f?s=128

Otemuyiwa Prosper

June 15, 2018
Tweet

Transcript

  1. AUTHENTICATION & AUTHORIZATION in GraphQL PROSPER OTEMUYIWA | BuzzJS NYC

    2018
  2. 2 A LITTLE ABOUT ME! BuzzJS NYC 2018

  3. LAGOS, NIGERIA 3 HOME CITIZEN & RESIDENT OF

  4. PRINCIPAL JOLLOF RICE ADVOCATE 4 A NIGERIAN MOUTH-WATERING DELICACY. TRY

    IT TODAY!
  5. COMMUNITY DEVELOPER ADVOCATE 5 forloop Africa Laravel Nigeria Angular Nigeria

  6. OPEN SOURCE ENGINEER / DEVELOPER ADVOCATE 6 @unicodeveloper

  7. 7 Look at all the data! Where do I start

    from? BuzzJS NYC 2018
  8. How many clients will consume this data? 8 BuzzJS NYC

    2018
  9. 9 BuzzJS NYC 2018

  10. What’s an effective way to fetch this data? 10 REST

    BuzzJS NYC 2018
  11. 11 REST is great but... ▰ ▰ ▰ ▰ BuzzJS

    NYC 2018
  12. How do we fetch data effectively & fast? 12 Okay

    Prosper, what will save us? BuzzJS NYC 2018
  13. 13 BuzzJS NYC 2018 Source: https://goo.gl/AvC3Yg

  14. What’s GraphQL? 14 ▰ ▰ ▰ BuzzJS NYC 2018

  15. 15 BuzzJS NYC 2018 Build a Schema on the Server

  16. 16 BuzzJS NYC 2018 Construct a query on the client

    to fetch data Fetch whatever data you want at once!
  17. 17 Data sent back to the Client BuzzJS NYC 2018

  18. 18 BuzzJS NYC 2018 GraphQL Playground: Query your Schemas

  19. “ 19 19

  20. Build the Schema & GraphQL Server with Apollo Server 20

  21. Build the Schema & GraphQL Server 21 apollographql.com/docs/apollo-server/v2

  22. “ 22 22

  23. Data Fetching With Apollo Client 23 Fetch data declaratively

  24. State Management with Apollo Link State 24

  25. Manage local State 25 Request for local data with @client

    directive github.com/apollographql/apollo-link-state
  26. Use the Client to query efficiently 26 apollographql.com/docs/react

  27. “ 27 27

  28. APOLLO ENGINE - New Relic for GraphQL 28

  29. APOLLO ENGINE - QUERY & SCHEMA ANALYSIS 29

  30. 30 APOLLO ENGINE apollographql.com/engine apollographql.com/docs/engine

  31. 31

  32. Authentication & Authorization 32 BuzzJS NYC 2018

  33. AUTHENTICATION & AUTHORIZATION 33 ...DIFFERENT WAYS OF GOING ABOUT THIS!

  34. 34 Typical REST API authentication middleware

  35. AUTHENTICATION & AUTHORIZATION 35 ...how can we achieve this in

    GraphQL?
  36. GENERAL: BUILD THE CONTEXT OBJECT 36 ..build the context object

    with info from the request headers.
  37. 37 ...now we have context.user

  38. Context Object? Oh Yeah! 38 The context object is passed

    to every single resolver at every level.
  39. Resolver Level Auth. 39 1

  40. Resolver Level Auth. 40 Resolvers have the ability to check

    user roles or scopes and make authorization decisions.
  41. 41 ...Allow access for this particular user

  42. Resolver Level Auth. Repetitive? 42 ...the approach is great but

    imagine doing this check for every resolver. Ah!
  43. Resolver Level Auth. Abstract the code. 43 Write once, call

    it anywhere & everywhere.
  44. 44

  45. ▰ ▰ ▰ ▰ Apollo Server 2.0 RC

  46. More Info on Error Handling: apollographql.com/docs/apollo-server/v2/feat ures/errors.html

  47. Auth. Delegation to Models 47 2

  48. Recommendation 48 Clog your resolvers with data fetching and mutation

    logic. Move them to Models.
  49. 49

  50. Recommendation 50 Go ahead and perform the authorization inside the

    Model.
  51. 51

  52. Auth via Custom Directives 52 3

  53. Custom Directives 53 Custom directives can be used for a

    lot of things: auth, error tracking, translation, etc
  54. Custom Directives for Auth 54

  55. Custom Directives for Auth 55 apollographql.com/docs/graphql-tools/ schema-directives.html Implementation detail is

    a little bit complex, but more details can be found in the link below.
  56. Auth. outside GraphQL 56 4

  57. Auth. outside GraphQL 57 If your REST API already has

    authorization baked in, why bother implementing on the GraphQL level?
  58. 58 ...pass the request header, then….

  59. 59 …then pass the header to the model method.

  60. GraphQL for the next Billion Users 60 BuzzJS NYC 2018

  61. GraphQL for the next Billion Users 61 GraphQL on the

    Edge
  62. 62 ▰ ▰ ▰

  63. GraphQL for the next Billion Users 63 Sign up for

    Early Access: apollographql.com/edge
  64. More Information on Auth. 64 GraphQL & Apollo: apollographql.com/docs JWT

    Book: auth0.com/resources/ebooks/jwt-handbook Authentication & Authorization: auth0.com/blog
  65. 65 THANKS! Any questions? BuzzJS NYC 2018