A presentation at API World in in Santa Clara, CA, USA by Viktor Gamov
Guarding GraphQL Strategies for Robust API Authorization Viktor Gamov, October 24th, Santa Clara, California X: @gamussa @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
THE CLOUD API COMPANY @gamussa | #APIWorld | @thekonginc Kong Confidential
Viktor GAMOV Principal Developer Advocate | Kong THE CLOUD API COMPANY Twitter X: @gamussa Kong Confidential
Danny FREESE Partner Solutions Engineer | Kong THE CLOUD API COMPANY X: @thekonginc Kong Confidential
Agenda • Start from the beginning - REST or GraphQL • Why is Authorization with GraphQL Hard to Tackle? • REST example • GraphQL example • Tackling AuthZ with API Gateway @gamussa | #APIWorld | @thekonginc
GraphQL Nuts and Bolts • Schema • Queries • Mutations • Subscriptions
Schema De ne your API type Route { origin: String! destination: String! } type Flight { number: String! route: Route! scheduled_departure: String! scheduled_arrival: String! } type Booking { ticket_number: String! flight: Flight! seat: String! } fi @gamussa | #APIWorld | @thekonginc
Queries Get what you need type Query { routes(origin: [String!]): [Route!]! flights(date: String!): [Flight!]! bookings(customer_id: ID!): [Booking!]! } @gamussa | #APIWorld | @thekonginc
Queries Get what you need type Query { routes(origin: [String!]): [Route!]! flights(date: String!): [Flight!]! bookings(customer_id: ID!): [Booking!]! } query { flights(date: “2024-03-20”) { number route { origin destination } scheduled_departure } } @gamussa | #APIWorld | @thekonginc
Mutations Modify data input BookingInput { … } input CustomerInformationInput { … } type Mutation { bookFlight( booking: BookingInput! customerInformation: CustomerInformationInput ): BookingResponse! } @gamussa | #APIWorld | @thekonginc
Mutations Modify data input BookingInput { … } input CustomerInformationInput { … } type Mutation { bookFlight( booking: BookingInput! customerInformation: CustomerInformationInput ): BookingResponse! } mutation { bookFlight( booking: { flight_number: “KA924” seat: “32A” } customerInformation { frequentFlierNumber: “ABC123” } ) { ticket_number } } @gamussa | #APIWorld | @thekonginc
Subscription Real-time updates type Subscription { newFlight: Flight! } @gamussa | #APIWorld | @thekonginc
Subscription Real-time updates type Subscription { newFlight: Flight! } subscription { newFlight { number route { origin destination } scheduled_departure scheduled_arrival } } @gamussa | #APIWorld | @thekonginc
Why is Authorization with GraphQL Hard to Tackle? @gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
Protect Endpoints with JWT @gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
Demo @gamussa | #APIWorld | @thekonginc
Integrate with IDP @gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
Demo @gamussa | #APIWorld | @thekonginc
Granular Access Control with OPA @gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
@gamussa | #APIWorld | @thekonginc
Demo @gamussa | #APIWorld | @thekonginc
https://gamov.dev/try-konnect @gamussa | #APIWorld | @thekonginc
https://gamov.dev/api-world-graphql @gamussa | #APIWorld | @thekonginc
Please, subscribe to my YouTube channel ™ @gamussa | #APIWorld | @thekonginc
Please, subscribe to my YouTube channel ™ https://youtube.com/konginc @gamussa | #APIWorld | @thekonginc
Navigating API security in today’s digital world is a complex task. The rise of GraphQL has introduced new challenges and opportunities in API authorization. In our enlightening talk, “Guarding GraphQL: Strategies for Robust API Authorization”, Viktor Gamov, a Principal Developer Advocate at Kong, will share valuable insights on GraphQL authorization techniques for securing your APIs effectively.
Viktor will start with a concise overview of GraphQL, underlining its advantages over traditional REST APIs, including its capacity for clients to define precise data needs, boosting application performance.
He’ll then delve into the crux of GraphQL authorization. He will discuss how API management platforms, like Kong, can secure GraphQL APIs and share best practices for implementing role-based access control. Real-world scenarios will be used to bring these principles to life, demonstrating how to strike a balance between flexible API access and stringent security requirements.
Viktor will highlight how GraphQL encourages efficient development, bridging the gap between front-end and back-end teams. To wrap up, he’ll gaze into the future of GraphQL, discussing advanced features like real-time updates with GraphQL subscriptions.
Join Viktor Gamov for an insightful exploration of GraphQL authorization. This talk is designed for API architects, developers, and product managers eager to strengthen their API security while maximizing the potential of GraphQL.
The following resources were mentioned during the presentation or are useful additional information.
