HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020
AGENDA Authentication Authorization Federation GRAPHQL SUMMIT 2020
AUTH AUTHENTICATION AUTHORIZATION YOU ARE WHO YOU SAY YOU ARE YOU CAN DO WHAT YOU WANT TO DO
AUTHENTICATION: YOU ARE WHO YOU SAY YOU ARE
STARTING POINT We don’t want to lockdown our entire GraphQL endpoint We’re going to use JSON Web Tokens for auth We’ll use Express with Apollo Server GRAPHQL SUMMIT 2020
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsI jp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJt aXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJ pYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOT A2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1Jaxw DTlnofa3hwpS0PGdRLUMIrC7M3FCI
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsI jp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJt aXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJ pYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOT A2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1Jaxw DTlnofa3hwpS0PGdRLUMIrC7M3FCI
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsI jp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJt aXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJ pYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOT A2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1Jaxw DTlnofa3hwpS0PGdRLUMIrC7M3FCI
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsI jp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJt aXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJ pYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOT A2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1Jaxw DTlnofa3hwpS0PGdRLUMIrC7M3FCI
DEMO TIME…
AUTHORIZATION: YOU CAN DO WHAT YOU WANT TO DO
A FEW OPTIONS Handle auth logic directly in each resolver function GRAPHQL SUMMIT 2020
A FEW OPTIONS Handle auth logic directly in each resolver function Create custom directives (e.g. @auth(requires: DIRECTOR) ) Wrap resolver functions (e.g. GraphQL Auth) Abstract auth rules into middleware (e.g. GraphQL Shield) GRAPHQL SUMMIT 2020
NOW DO FEDERATION
SUMMING UP Handle incoming tokens in the context A viewer query can be an entry point for authenticated users Keep explicit authorization checks out of resolver functions Forward header from gateway API using buildService GRAPHQL SUMMIT 2020
SHOW ME THE CODE! https://github.com/mandiwise/basic-apollo-auth-demo https://github.com/mandiwise/apollo-federation-auth-demo https://github.com/mandiwise/graphql-magic-auth-demo GRAPHQL SUMMIT 2020
THANKS! TWITTER & GITHUB: @MANDIWISE
Recommend
More recommend