HOW TO AUTH - GraphQL · GRAPHQL SUMMIT 2020 A FEW OPTIONS Handle auth logic directly in each...

HOW TO AUTH:SECURE A GRAPHQL API WITH CONFIDENCE

MANDI WISE | GRAPHQL SUMMIT 2020

GRAPHQL SUMMIT 2020

Authentication

Authorization

Federation

AGENDA

AUTHAUTHORIZATION

YOU CAN DO WHAT YOU WANT TO DOYOU ARE WHO YOU SAY YOU ARE

AUTHENTICATION

AUTHENTICATION:YOU ARE WHO YOU SAY YOU ARE

GRAPHQL SUMMIT 2020

STARTING POINT

We don’t want to lockdown our entire GraphQL endpoint

We’re going to use JSON Web Tokens for auth

We’ll use Express with Apollo Server

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsIjp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJpYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOTA2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1JaxwDTlnofa3hwpS0PGdRLUMIrC7M3FCI

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsIjp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJpYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOTA2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1JaxwDTlnofa3hwpS0PGdRLUMIrC7M3FCI

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsIjp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJpYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOTA2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1JaxwDTlnofa3hwpS0PGdRLUMIrC7M3FCI

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL3NwYWNlYXBpLmNvbS9ncmFwaHFsIjp7InJvbGVzIjpbImFzdHJvbmF1dCJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkOm93bl91c2VyIl19LCJpYXQiOjE1OTQyNTI2NjMsImV4cCI6MTU5NDMzOTA2Mywic3ViIjoiNjc4OTAifQ.Z1JPE53ca1JaxwDTlnofa3hwpS0PGdRLUMIrC7M3FCI

DEMO TIME…

AUTHORIZATION:YOU CAN DO WHAT YOU WANT TO DO

GRAPHQL SUMMIT 2020

A FEW OPTIONS

Handle auth logic directly in each resolver function

GRAPHQL SUMMIT 2020

A FEW OPTIONS

Handle auth logic directly in each resolver function

Create custom directives (e.g. @auth(requires: DIRECTOR))

Wrap resolver functions (e.g. GraphQL Auth)

Abstract auth rules into middleware (e.g. GraphQL Shield)

NOW DO FEDERATION

SUMMING UP

Handle incoming tokens in the context

A viewer query can be an entry point for authenticated users

Keep explicit authorization checks out of resolver functions

Forward header from gateway API using buildService

GRAPHQL SUMMIT 2020

GRAPHQL SUMMIT 2020

SHOW ME THE CODE!

https://github.com/mandiwise/basic-apollo-auth-demo

https://github.com/mandiwise/apollo-federation-auth-demo

https://github.com/mandiwise/graphql-magic-auth-demo

THANKS!

TWITTER & GITHUB: @MANDIWISE