GraphQL Authorization Panel Discussion, GraphQL Galaxy 2021

Explore the complexities of GraphQL authorization and best practices for implementing role-based and attribute-based access control in this panel discussion.

Key takeaways
  • Authorization should be integrated early in the application development process.
  • Role-based access control (RBAC) and attribute-based access control (ABAC) are two popular approaches for authorization.
  • GraphQL allows for flexible and efficient querying, but it also introduces complexities in authorization.
  • Authorization should be centralized and consistent across services, but this is often difficult to achieve.
  • The 90/90 rule applies to GraphQL authorization: 90% of the time, authorization is simple and straightforward, but 10% of the time, it becomes complex and challenging.
  • Implementing authorization at the gateway level can help to simplify and centralize authorization.
  • Embedded systems and microservices can make authorization challenging, but GraphQL can help to simplify this by providing a centralized API.
  • ABAC allows for more fine-grained permissions and is well-suited for complex authorization scenarios.
  • Role-based schemas and data loading can help to simplify authorization.
  • Consistency across services is crucial for authorization, but this can be difficult to achieve.

More talks

How to Secure Your Node.js Containers on Kubernetes With Best Practices - Deepu K Sasidharan

Cybersecurity for Crypto Startups and Companies

Adopting GraphQL in an Enterprise - Shruti Kapoor, GraphQL Galaxy 2021

Zero Trust Security for your APIs - Akshata Sawant

Demystifying Web API Security in Azure - Jimmy Bogard - NDC Sydney 2024

Developing Flexible Authorisation Capabilities in ASP.NET Core - Jason Taylor - NDC London 2023

Michael Liendo - Your SaaS forecast: Cloudy with a chance of GraphQL

Tutorials - Patrick Arminio: Build a production ready GraphQL API using Python