Guarding GraphQL: Strategies for Robust API Authorization

A presentation at API World in October 2023 in Santa Clara, CA, USA by Viktor Gamov

Slide 1

Slide 1

Guarding GraphQL Strategies for Robust API Authorization Viktor Gamov, October 24th, Santa Clara, California X: @gamussa @thekonginc

Slide 2

Slide 2

@gamussa | #APIWorld | @thekonginc

Slide 3

Slide 3

@gamussa | #APIWorld | @thekonginc

Slide 4

Slide 4

@gamussa | #APIWorld | @thekonginc

Slide 5

Slide 5

@gamussa | #APIWorld | @thekonginc

Slide 6

Slide 6

THE CLOUD API COMPANY @gamussa | #APIWorld | @thekonginc Kong Confidential

Slide 7

Slide 7

Viktor GAMOV Principal Developer Advocate | Kong THE CLOUD API COMPANY Twitter X: @gamussa Kong Confidential

Slide 8

Slide 8

Danny FREESE Partner Solutions Engineer | Kong THE CLOUD API COMPANY X: @thekonginc Kong Confidential

Slide 9

Slide 9

Agenda • Start from the beginning - REST or GraphQL • Why is Authorization with GraphQL Hard to Tackle? • REST example • GraphQL example • Tackling AuthZ with API Gateway @gamussa | #APIWorld | @thekonginc

Slide 10

Slide 10

GraphQL Nuts and Bolts • Schema • Queries • Mutations • Subscriptions

Slide 11

Slide 11

Schema De ne your API type Route { origin: String! destination: String! } type Flight { number: String! route: Route! scheduled_departure: String! scheduled_arrival: String! } type Booking { ticket_number: String! flight: Flight! seat: String! } fi @gamussa | #APIWorld | @thekonginc

Slide 12

Slide 12

Queries Get what you need type Query { routes(origin: [String!]): [Route!]! flights(date: String!): [Flight!]! bookings(customer_id: ID!): [Booking!]! } @gamussa | #APIWorld | @thekonginc

Slide 13

Slide 13

Queries Get what you need type Query { routes(origin: [String!]): [Route!]! flights(date: String!): [Flight!]! bookings(customer_id: ID!): [Booking!]! } query { flights(date: “2024-03-20”) { number route { origin destination } scheduled_departure } } @gamussa | #APIWorld | @thekonginc

Slide 14

Slide 14

Mutations Modify data input BookingInput { … } input CustomerInformationInput { … } type Mutation { bookFlight( booking: BookingInput! customerInformation: CustomerInformationInput ): BookingResponse! } @gamussa | #APIWorld | @thekonginc

Slide 15

Slide 15

Mutations Modify data input BookingInput { … } input CustomerInformationInput { … } type Mutation { bookFlight( booking: BookingInput! customerInformation: CustomerInformationInput ): BookingResponse! } mutation { bookFlight( booking: { flight_number: “KA924” seat: “32A” } customerInformation { frequentFlierNumber: “ABC123” } ) { ticket_number } } @gamussa | #APIWorld | @thekonginc

Slide 16

Slide 16

Subscription Real-time updates type Subscription { newFlight: Flight! } @gamussa | #APIWorld | @thekonginc

Slide 17

Slide 17

Subscription Real-time updates type Subscription { newFlight: Flight! } subscription { newFlight { number route { origin destination } scheduled_departure scheduled_arrival } } @gamussa | #APIWorld | @thekonginc

Slide 18

Slide 18

Why is Authorization with GraphQL Hard to Tackle? @gamussa | #APIWorld | @thekonginc

Slide 19

Slide 19

@gamussa | #APIWorld | @thekonginc

Slide 20

Slide 20

@gamussa | #APIWorld | @thekonginc

Slide 21

Slide 21

Protect Endpoints with JWT @gamussa | #APIWorld | @thekonginc

Slide 22

Slide 22

@gamussa | #APIWorld | @thekonginc

Slide 23

Slide 23

@gamussa | #APIWorld | @thekonginc

Slide 24

Slide 24

@gamussa | #APIWorld | @thekonginc

Slide 25

Slide 25

Demo @gamussa | #APIWorld | @thekonginc

Slide 26

Slide 26

Integrate with IDP @gamussa | #APIWorld | @thekonginc

Slide 27

Slide 27

@gamussa | #APIWorld | @thekonginc

Slide 28

Slide 28

@gamussa | #APIWorld | @thekonginc

Slide 29

Slide 29

@gamussa | #APIWorld | @thekonginc

Slide 30

Slide 30

@gamussa | #APIWorld | @thekonginc

Slide 31

Slide 31

@gamussa | #APIWorld | @thekonginc

Slide 32

Slide 32

Demo @gamussa | #APIWorld | @thekonginc

Slide 33

Slide 33

Granular Access Control with OPA @gamussa | #APIWorld | @thekonginc

Slide 34

Slide 34

@gamussa | #APIWorld | @thekonginc

Slide 35

Slide 35

@gamussa | #APIWorld | @thekonginc

Slide 36

Slide 36

@gamussa | #APIWorld | @thekonginc

Slide 37

Slide 37

@gamussa | #APIWorld | @thekonginc

Slide 38

Slide 38

@gamussa | #APIWorld | @thekonginc

Slide 39

Slide 39

Demo @gamussa | #APIWorld | @thekonginc

Slide 40

Slide 40

https://gamov.dev/try-konnect @gamussa | #APIWorld | @thekonginc

Slide 41

Slide 41

https://gamov.dev/api-world-graphql @gamussa | #APIWorld | @thekonginc

Slide 42

Slide 42

Please, subscribe to my YouTube channel ™ @gamussa | #APIWorld | @thekonginc

Slide 43

Slide 43

Please, subscribe to my YouTube channel ™ https://youtube.com/konginc @gamussa | #APIWorld | @thekonginc