Guarding GraphQL: Strategies for Robust API Authorization

Guarding GraphQL Strategies for Robust API Authorization Viktor Gamov, October 24th, Santa Clara, California X: @gamussa @thekonginc

@gamussa | #APIWorld | @thekonginc

THE CLOUD API COMPANY @gamussa | #APIWorld | @thekonginc Kong Confidential

Viktor GAMOV Principal Developer Advocate | Kong THE CLOUD API COMPANY Twitter X: @gamussa Kong Confidential

Danny FREESE Partner Solutions Engineer | Kong THE CLOUD API COMPANY X: @thekonginc Kong Confidential

Agenda • Start from the beginning - REST or GraphQL • Why is Authorization with GraphQL Hard to Tackle? • REST example • GraphQL example • Tackling AuthZ with API Gateway @gamussa | #APIWorld | @thekonginc

GraphQL Nuts and Bolts • Schema • Queries • Mutations • Subscriptions

Schema De ne your API type Route { origin: String! destination: String! } type Flight { number: String! route: Route! scheduled_departure: String! scheduled_arrival: String! } type Booking { ticket_number: String! flight: Flight! seat: String! } fi @gamussa | #APIWorld | @thekonginc

Queries Get what you need type Query { routes(origin: [String!]): [Route!]! flights(date: String!): [Flight!]! bookings(customer_id: ID!): [Booking!]! } @gamussa | #APIWorld | @thekonginc

Queries Get what you need type Query { routes(origin: [String!]): [Route!]! flights(date: String!): [Flight!]! bookings(customer_id: ID!): [Booking!]! } query { flights(date: “2024-03-20”) { number route { origin destination } scheduled_departure } } @gamussa | #APIWorld | @thekonginc

Mutations Modify data input BookingInput { … } input CustomerInformationInput { … } type Mutation { bookFlight( booking: BookingInput! customerInformation: CustomerInformationInput ): BookingResponse! } @gamussa | #APIWorld | @thekonginc

Mutations Modify data input BookingInput { … } input CustomerInformationInput { … } type Mutation { bookFlight( booking: BookingInput! customerInformation: CustomerInformationInput ): BookingResponse! } mutation { bookFlight( booking: { flight_number: “KA924” seat: “32A” } customerInformation { frequentFlierNumber: “ABC123” } ) { ticket_number } } @gamussa | #APIWorld | @thekonginc

Subscription Real-time updates type Subscription { newFlight: Flight! } @gamussa | #APIWorld | @thekonginc

Subscription Real-time updates type Subscription { newFlight: Flight! } subscription { newFlight { number route { origin destination } scheduled_departure scheduled_arrival } } @gamussa | #APIWorld | @thekonginc

Why is Authorization with GraphQL Hard to Tackle? @gamussa | #APIWorld | @thekonginc

@gamussa | #APIWorld | @thekonginc

Protect Endpoints with JWT @gamussa | #APIWorld | @thekonginc

@gamussa | #APIWorld | @thekonginc

Demo @gamussa | #APIWorld | @thekonginc

Integrate with IDP @gamussa | #APIWorld | @thekonginc

@gamussa | #APIWorld | @thekonginc

Demo @gamussa | #APIWorld | @thekonginc

Granular Access Control with OPA @gamussa | #APIWorld | @thekonginc

@gamussa | #APIWorld | @thekonginc

Demo @gamussa | #APIWorld | @thekonginc

https://gamov.dev/try-konnect @gamussa | #APIWorld | @thekonginc

https://gamov.dev/api-world-graphql @gamussa | #APIWorld | @thekonginc

Please, subscribe to my YouTube channel ™ @gamussa | #APIWorld | @thekonginc

Please, subscribe to my YouTube channel ™ https://youtube.com/konginc @gamussa | #APIWorld | @thekonginc