Authentication & Authorization in GraphQL

Transcript

1. AUTHENTICATION & AUTHORIZATION in GraphQL PROSPER OTEMUYIWA | BuzzJS NYC

   2018

2. 2 A LITTLE ABOUT ME! BuzzJS NYC 2018

3. LAGOS, NIGERIA 3 HOME CITIZEN & RESIDENT OF

4. PRINCIPAL JOLLOF RICE ADVOCATE 4 A NIGERIAN MOUTH-WATERING DELICACY. TRY

   IT TODAY!

5. COMMUNITY DEVELOPER ADVOCATE 5 forloop Africa Laravel Nigeria Angular Nigeria

6. OPEN SOURCE ENGINEER / DEVELOPER ADVOCATE 6 @unicodeveloper

7. 7 Look at all the data! Where do I start

   from? BuzzJS NYC 2018

8. How many clients will consume this data? 8 BuzzJS NYC

   2018

9. 9 BuzzJS NYC 2018

10. What’s an effective way to fetch this data? 10 REST

    BuzzJS NYC 2018

11. 11 REST is great but... ▰ ▰ ▰ ▰ BuzzJS

    NYC 2018

12. How do we fetch data effectively & fast? 12 Okay

    Prosper, what will save us? BuzzJS NYC 2018

13. 13 BuzzJS NYC 2018 Source: https://goo.gl/AvC3Yg

14. What’s GraphQL? 14 ▰ ▰ ▰ BuzzJS NYC 2018

15. 15 BuzzJS NYC 2018 Build a Schema on the Server

16. 16 BuzzJS NYC 2018 Construct a query on the client

    to fetch data Fetch whatever data you want at once!

17. 17 Data sent back to the Client BuzzJS NYC 2018

18. 18 BuzzJS NYC 2018 GraphQL Playground: Query your Schemas

19. “ 19 19

20. Build the Schema & GraphQL Server with Apollo Server 20

21. Build the Schema & GraphQL Server 21 apollographql.com/docs/apollo-server/v2

22. “ 22 22

23. Data Fetching With Apollo Client 23 Fetch data declaratively

24. State Management with Apollo Link State 24

25. Manage local State 25 Request for local data with @client

    directive github.com/apollographql/apollo-link-state

26. Use the Client to query efficiently 26 apollographql.com/docs/react

27. “ 27 27

28. APOLLO ENGINE - New Relic for GraphQL 28

29. APOLLO ENGINE - QUERY & SCHEMA ANALYSIS 29

30. 30 APOLLO ENGINE apollographql.com/engine apollographql.com/docs/engine

31. 31

32. Authentication & Authorization 32 BuzzJS NYC 2018

33. AUTHENTICATION & AUTHORIZATION 33 ...DIFFERENT WAYS OF GOING ABOUT THIS!

34. 34 Typical REST API authentication middleware

35. AUTHENTICATION & AUTHORIZATION 35 ...how can we achieve this in

    GraphQL?

36. GENERAL: BUILD THE CONTEXT OBJECT 36 ..build the context object

    with info from the request headers.

37. 37 ...now we have context.user

38. Context Object? Oh Yeah! 38 The context object is passed

    to every single resolver at every level.

39. Resolver Level Auth. 39 1

40. Resolver Level Auth. 40 Resolvers have the ability to check

    user roles or scopes and make authorization decisions.

41. 41 ...Allow access for this particular user

42. Resolver Level Auth. Repetitive? 42 ...the approach is great but

    imagine doing this check for every resolver. Ah!

43. Resolver Level Auth. Abstract the code. 43 Write once, call

    it anywhere & everywhere.

44. 44

45. ▰ ▰ ▰ ▰ Apollo Server 2.0 RC

46. More Info on Error Handling: apollographql.com/docs/apollo-server/v2/feat ures/errors.html

47. Auth. Delegation to Models 47 2

48. Recommendation 48 Clog your resolvers with data fetching and mutation

    logic. Move them to Models.

49. 49

50. Recommendation 50 Go ahead and perform the authorization inside the

    Model.

51. 51

52. Auth via Custom Directives 52 3

53. Custom Directives 53 Custom directives can be used for a

    lot of things: auth, error tracking, translation, etc

54. Custom Directives for Auth 54

55. Custom Directives for Auth 55 apollographql.com/docs/graphql-tools/ schema-directives.html Implementation detail is

    a little bit complex, but more details can be found in the link below.

56. Auth. outside GraphQL 56 4

57. Auth. outside GraphQL 57 If your REST API already has

    authorization baked in, why bother implementing on the GraphQL level?

58. 58 ...pass the request header, then….

59. 59 …then pass the header to the model method.

60. GraphQL for the next Billion Users 60 BuzzJS NYC 2018

61. GraphQL for the next Billion Users 61 GraphQL on the

    Edge

62. 62 ▰ ▰ ▰

63. GraphQL for the next Billion Users 63 Sign up for

    Early Access: apollographql.com/edge

64. More Information on Auth. 64 GraphQL & Apollo: apollographql.com/docs JWT

    Book: auth0.com/resources/ebooks/jwt-handbook Authentication & Authorization: auth0.com/blog

65. 65 THANKS! Any questions? BuzzJS NYC 2018