Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication & Authorization in
GraphQL with AWS AppSync
Karthik Saligrama
Software Development Engineer
AWS Mobile
M O B 4 0 2

What to expect from this session
Learn how to implement identity management for GraphQL apps using
• AWS AppSync
• Amazon Cognito User Pools
• Amazon Cognito Federated Identities
• AWS Identity and Access Management (AWS IAM)

You need
Some knowledge of
• AWS IAM policies
• Amazon Cognito User Pools
• GraphQL & AWS AppSync

What is identity management?
“Enables the right individuals to access the right
resources at the right times and for the right
reasons”
— Wikipedia

Data access patterns
• Public data access
• Private data access
• Custom data access

Public data access
• Data is not user specific
• No restriction is imposed on the data

Private data access
• Data can be private to a specific user
• Access to data is privileged/restricted

Custom data access
• Data can be private/public
• Access to data can be privileged/restricted
• Access to data can be further guarded by application logic

Identity Management

AWS AppSync: Four types of authorization

API key
Role
AWS Cloud

Amazon Cognito User Pools
Role
AWS Cloud

OpenID
OpenID Connect authorizer
Role
AWS Cloud

Identity
System
AWS IAM authorization
Role
AWS Cloud

Types of authorization
• Implicit authorization
• Coarse grained authorization
• Fine grained authorization

Coarse grained authorization
type Query {
allUsers: [User]!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}

Coarse grained authorization—Amazon Cognito User Pools
type Query {
allUsers: [User]!
@aws_auth(cognito-groups:["Admin"])
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}

Coarse grained authorization—AWS IAM authorization
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "appsync:GraphQL",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/*"
}]
}

Coarse grained authorization—AWS IAM authorization
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/*"
},{
"Effect": "Deny",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/allUsers"
}]
}

Coarse grained authorization—Using mapping templates
#if(!$context.request.headers.get(‘x-api-key’) == “<some api key>”)
//do some task
#else
$utils.unauthorized()
#end
#if(!$context.identity.username == “<username>”)
//do some task
#else
$utils.unauthorized()
#end

Fine grained data access control
• Using data access control of underlying data sources
• Using intelligent schema design patterns
• Pipeline resolvers

{
"version" : "2017-02-28",
"operation" : "Query",
"index" : ”role-index",
"query" : {
"expression": ”contains(role, :role)",
"expressionValues" : {
":role" : {
"S":"ADMIN"
}
}
},
"nextToken": $util.toJson($util.defaultIfNullOrEmpty($ctx.args.after, null)),
}
Using data access control of underlying data sources

{
"version":"2017-02-28",
"operation":"GET",
"path":"/id/post/_search",
"params":{
"headers":{},
"queryString":{},
"body":{
"from":0,
"size":50,
"query":{
"term" :{
”role":”ADMIN"
}
}
}
}
}

{
"version": "2018-05-29",
"statements": [
"SELECT * FROM Users u WHERE u.id = :ID AND EXISTS (SELECT
id FROM UserRole r WHERE r.id = :RID AND r.role = 'ADMIN')"
],
"variableMap": {
":ID": "$ctx.args.id",
":RID" : "$ctx.identity.sub"
}
}

Id firstName
1 Nadia
2 Shaggy
3 Pancho
UserId Role
1 ADMIN
2 USER

type Query {
adminGetUserDetails(id: ID!): User!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}
type Query {
adminGetUserDetails(id: ID!): UserData!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [UserData!]!
}
type UserData {
id : ID!
user: User!
}
Using intelligent schema design patterns

Using intelligent schema design patterns
Id firstName
1 Nadia
2 Shaggy
3 Pancho
UserId Role
1 ADMIN
2 USER
query {
adminGetUserDetails (id: “1”) {
user {
firstName
lastName
}
}
}

Pipeline resolvers

• Reusable/composable auth across all resolvers
• No schema restructuring needed
• No leaky abstraction
Pipeline resolvers

Pipeline resolvers
query {
adminGetUserDetails(id: "1") {
id
firstName
}
}
UserId Role
1 ADMIN
2 USER
Id firstName
1 Nadia
2 Shaggy
3 Pancho
{
"data":{
"adminGetUserDetails":{
"id":"1",
"firstName":"Nadia"
}
}
}

Useful tips
1. Keep authorization logic simple
2. Keep your functions lean
3. Functions are reusable, take advantage of them
4. Be mindful of limits

Resources
• https://hackernoon.com/tackling-user-authorization-in-graphql-with-
aws-appsync-7886aef60b4a
• https://medium.com/open-graphql/authenticating-an-aws-appsync-
graphql-api-with-auth0-48835691810a
• https://hackernoon.com/graphql-authorization-with-multiple-data-
sources-using-aws-appsync-dfae2e350bf2

Thank you!
Karthik Saligrama

Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:Invent 2018

Similar to Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:Invent 2018