Post on 02-Jan-2021
HOW TO AUTH:SECURE A GRAPHQL API WITH CONFIDENCE
MANDI WISE | GRAPHQL SUMMIT 2020
GRAPHQL SUMMIT 2020
Authentication
Authorization
Federation
AGENDA
AUTHAUTHORIZATION
YOU CAN DO WHAT YOU WANT TO DOYOU ARE WHO YOU SAY YOU ARE
AUTHENTICATION
AUTHENTICATION:YOU ARE WHO YOU SAY YOU ARE
GRAPHQL SUMMIT 2020
STARTING POINT
We don’t want to lockdown our entire GraphQL endpoint
We’re going to use JSON Web Tokens for auth
We’ll use Express with Apollo Server
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsIjp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJpYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOTA2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1JaxwDTlnofa3hwpS0PGdRLUMIrC7M3FCI
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsIjp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJpYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOTA2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1JaxwDTlnofa3hwpS0PGdRLUMIrC7M3FCI
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsIjp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJpYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOTA2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1JaxwDTlnofa3hwpS0PGdRLUMIrC7M3FCI
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsIjp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJpYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOTA2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1JaxwDTlnofa3hwpS0PGdRLUMIrC7M3FCI
DEMO TIME…
AUTHORIZATION:YOU CAN DO WHAT YOU WANT TO DO
GRAPHQL SUMMIT 2020
A FEW OPTIONS
Handle auth logic directly in each resolver function
GRAPHQL SUMMIT 2020
A FEW OPTIONS
Handle auth logic directly in each resolver function
Create custom directives (e.g. @auth(requires: DIRECTOR))
Wrap resolver functions (e.g. GraphQL Auth)
Abstract auth rules into middleware (e.g. GraphQL Shield)
NOW DO FEDERATION
SUMMING UP
Handle incoming tokens in the context
A viewer query can be an entry point for authenticated users
Keep explicit authorization checks out of resolver functions
Forward header from gateway API using buildService
GRAPHQL SUMMIT 2020
GRAPHQL SUMMIT 2020
SHOW ME THE CODE!
https://github.com/mandiwise/basic-apollo-auth-demo
https://github.com/mandiwise/apollo-federation-auth-demo
https://github.com/mandiwise/graphql-magic-auth-demo
THANKS!
TWITTER & GITHUB: @MANDIWISE