Hi, I’m Sam, an Angular GDE and Collaborator, a Sr. Developer Advocate Engineer at Auth0, and the creator of UpgradingAngularJS.com and GetAJobIn.Tech. I’m also an author for Thinkster.io and egghead. My favorite thing in the world is sitting outside drinking good scotch next to a fire I built myself.
Becoming a “Secret” Agent: Securing Your GraphQL Backend with JWTs
Are you confused about how authentication and authorization relate to GraphQL APIs? You’re not alone! It’s no secret that learning auth is hard on its own, let alone on top of GraphQL. In this talk, Sam will show how to demystify auth while learning how to use JSON Web Tokens (JWTs) with GraphQL APIs! After discovering why controlling access to APIs is so challenging and ways that can be used to solve it, Sam will step through how to handle authorization in the GraphQL server. This talk will use JavaScript examples, but the principles will apply to other tech. By the end, you’ll feel a whole lot better about tackling auth in GraphQL!
Hi Sam. Do you have an advice/resources/best practices for integrating auth0 with a react native mobile app using expo? The stack for project I’m working on is react native/expo, graphql/apollo client on the client with node/express graphql/apollo server, and prisma/postgress on the backend.
From what I gather, I would have to eject from expo to to use the react-native-auth0 module from this guide Auth0 React Native SDK Quickstarts: Login. Do you have any resources or know any approaches others have used to integrate auth0 into a react native/expo project without ejecting from expo?
Most server-side authorization implementations I have seen involve checking permissions from the JWT’s scopes at the start of each type-resolver function. This means – for example – that a query may execute multiple database queries before reaching a nested resolver that fails a permissions check. Besides resulting in a poor user experience for big/deep queries that take longer, this scenario would also waste slash-graphql query credits.
Are there recommended ways to verify all permissions on all resolvers related to the query before query execution to avoid unnecessary computation time?
The best I can think of is adding middleware that will do a traversal of the query AST to check permissions required by each resolver before invoking the root resolver(s).
Is it good practice to make GraphQL proxy server over REST api provider just to hide REST endpoints? Or will it be waste of resources? Just in case i don’t want to expose my REST endpoints to frontend?
Can you explain the different types of tokens and how are they different?
Which one is best? The token changes in a period then how does that part work?
What would you recommend for authorisation in case there is a case for granular permissions model instead of roles? Won’t storing entire permissions in the JWT token a bad idea due to large size/limitations? Also, when a permission/role is changed how can we force change the token to reflect latest updates?
