GraphQL Authorization Panel Discussion, GraphQL Galaxy 2021

Explore the complexities of GraphQL authorization and best practices for implementing role-based and attribute-based access control in this panel discussion.

Key takeaways
  • Authorization should be integrated early in the application development process.
  • Role-based access control (RBAC) and attribute-based access control (ABAC) are two popular approaches for authorization.
  • GraphQL allows for flexible and efficient querying, but it also introduces complexities in authorization.
  • Authorization should be centralized and consistent across services, but this is often difficult to achieve.
  • The 90/90 rule applies to GraphQL authorization: 90% of the time, authorization is simple and straightforward, but 10% of the time, it becomes complex and challenging.
  • Implementing authorization at the gateway level can help to simplify and centralize authorization.
  • Embedded systems and microservices can make authorization challenging, but GraphQL can help to simplify this by providing a centralized API.
  • ABAC allows for more fine-grained permissions and is well-suited for complex authorization scenarios.
  • Role-based schemas and data loading can help to simplify authorization.
  • Consistency across services is crucial for authorization, but this can be difficult to achieve.

More talks

Adelina Simion & Artur Kondas - The shimmy to the left: why security is coming for engineers

Access control in message-driven systems - Marc Klefter - NDC Porto 2023

Tutorials - Patrick Arminio: Build a production ready GraphQL API using Python

War of the APIs - REST vs GraphQL vs gRPC by Memi Lavi

SEVEN things about API security - Philippe De Ryck - NDC Oslo 2024

The Secrets of Advanced OAuth 2.0 • Aaron Parecki & Eric Johnson

Shield your backend from outside attacks with API Managers by Bárbara Teruggi

SAINTCON 2023 - Corey Ball - Start Hacking APIs