SlideShare a Scribd company logo
1 of 44
Download to read offline
Authentication, Authorization &
Error Handling with GraphQL
Nikolas Burk 👋
Developer at Graphcool
$ whoami
@nikolasburk
1. GraphQL Introduction
2. Authentication, Authorization &
Error Handling in GraphQL
3. Demo & Practical Examples
Agenda
@nikolasburk
GraphQL Introduction
@nikolasburk
What’s GraphQL?
• new API standard
• developed & open-sourced by Facebook
• declarative way of fetching & updating data
@nikolasburk
Schema
… defines the data model
@nikolasburk
type Link {
url: String!
description: String
postedBy: User!
}
type User {
name: String!
isAdmin: Boolean!
links: [Link!]!
}
Queries
… only read data
Link(id: “1”) {
url
postedBy {
name
}
}
{
“data”: {
“Link”: {
“url”: “https://graph.cool”,
“postedBy”: {
“name”: “Sarah”
}
}
}
}
@nikolasburk
Queries
… only read data
@nikolasburk
Link(id: “1”) {
url
postedBy {
name
}
}
{
“data”: {
“Link”: {
“url”: “https://graph.cool”,
“postedBy”: {
“name”: “Sarah”
}
}
}
}
Mutations
… write and read data
mutation {
createLink(url: “https://graph.cool”) {
id
}
}
{
“data”: {
“createLink”: {
“id”: “3”,
}
}
}
@nikolasburk
Mutations
… write and read data
mutation {
createLink(url: “https://graph.cool”) {
id
}
}
{
“data”: {
“createLink”: {
“id”: “3”,
}
}
}
@nikolasburk
How does it work?
Authentication, Authorization
& Error Handling in GraphQL
@nikolasburk
Authentication vs Authorization
@nikolasburk
• Authentication: Verifying a user’s identity
• Authorization: Specifying data access permissions
Error Handling with REST
@nikolasburk
• permissions are handled in API / business
logic layer or middleware
• no standardized approach
• HTTP status codes
• permissions expressed in terms of actions
Challenges with GraphQL
@nikolasburk
• fine-grained data access
• transport-layer agnostic - no status codes
• multiple queries in single request are possible
Error Handling with GraphQL
@nikolasburk
…described in official
GraphQL specification
Returning errors
@nikolasburk
{
"data": null,
"errors": [
...
]
}
Anatomy of an error
@nikolasburk
• message: information for the developer
• locations?: where in query or mutation (line+column)
• path?: which field in the query caused the issue
• custom information
Example: Required field not provided
@nikolasburk
mutation {
createLink(url: “https://graph.cool”) {
id
}
}
mutation {
createLink() {
id
}
}
Example: Required field not provided
@nikolasburk
required url argument is missing ❌
{
"data": null,
"errors": [
{
"message": "Field 'createLink' argument 'url' of type 'String!' is required but not provided.",
"locations": [
{
"line": 2,
"column": 3
}
],
"path": [ "createLink" ]
}
]
}
Example: Required field not provided
@nikolasburk
required url argument is missing ❌
@nikolasburk
Link(id: “1”) {
id
description
}
Example: Not authorized for specific field (1/2)
@nikolasburk
Link(id: “1”) {
id
description # not authorized
}
Example: Not authorized for specific field (1/2)
@nikolasburk
{
"data": {
"Link": {
"id": "1",
"description": null
}
},
"errors": [
{
"locations": [
{
"line": 4,
"column": 5
}
],
"path": [ "Link", "description" ],
"message": "Insufficient Permissions",
}
]
}
Example: Not authorized for specific field (1/2)
@nikolasburk
{
"data": {
"Link": {
"id": "1",
"description": null
}
},
"errors": [
{
"locations": [
{
"line": 4,
"column": 5
}
],
"path": [ "Link", "description" ],
"message": "Insufficient Permissions",
}
]
}
Example: Not authorized for specific field (1/2)
@nikolasburk
{
"data": {
"Link": {
"id": "1",
"description": null
}
},
"errors": [
{
"locations": [
{
"line": 4,
"column": 5
}
],
"path": [ "Link", "description" ],
"message": "Insufficient Permissions",
}
]
}
Example: Not authorized for specific field (1/2)
…but
@nikolasburk
… this only works for non-required fields like description.
type Link {
url: String!
description: String
postedBy: User!
}
@nikolasburk
Link(id: “1”) {
id
url
}
Example: Not authorized for specific field (2/2)
@nikolasburk
Link(id: “1”) {
id
url # not authorized
}
Example: Not authorized for specific field (2/2)
@nikolasburk
Example: Not authorized for specific field (2/2)
{
"data": {
"Link": null
},
"errors": [
{
"locations": [
{
"line": 4,
"column": 5
}
],
"path": [ "Link", "url" ],
"message": "Insufficient Permissions"
}
]
}
…so
@nikolasburk
… with required fields the error bubbles up.
Authorization with GraphQL:
Permission Queries
@nikolasburk
• new and powerful approach to access control
• based on familiar GraphQL queries
• express permission rules by accessing the entire
data graph and object relations
Permissions with Graphcool
@nikolasburk
Demo
&
Practical Examples
@nikolasburk
Example Schema
@nikolasburk
type Link {
url: String!
description: String
comments: [Comment!]! @relation(name: "CommentsOnLink")
postedBy: User! @relation(name: "UsersLinks")
}
type User {
name: String!
isAdmin: Boolean!
links: [Link!]! @relation(name: "UsersLinks")
comments: [Comment!]! @relation(name: "UsersComments")
}
type Comment {
text: String!
link: Link! @relation(name: "CommentsOnLink")
writtenBy: User! @relation(name: "UsersComments")
}
4 Requirements
@nikolasburk
READ: Only authenticated user can read links
CREATE: Only a user who wrote at least one comment
that contains “GraphQL” can create new links
UPDATE: Only a user who created a link can update it
DELETE: Only a user who created a link can delete it
OR the user is an admin
READ: Only authenticated user
can read links
@nikolasburk
CREATE: Only a user who wrote at least one
comment that contains “GraphQL” can
create new links
@nikolasburk
query ($user_id: ID!) {
SomeUserExists(
filter: {
id: $user_id,
comments_some: {
text_contains: "GraphQL"
}
}
)
}
UPDATE: Only a user who created a link
can update it
@nikolasburk
query ($node_id: ID!, $user_id: ID!) {
SomeLinkExists(
filter: {
id: $node_id,
postedBy: {
id: $user_id
}
}
)
}
DELETE: Only a user who created a link
can delete it OR the user is an admin
@nikolasburk
query ($node_id: ID!, $user_id: ID!) {
SomeUserExists(
filter: {
id: $user_id,
OR: [{
isAdmin:true
}, {
links_some: {
id: $node_id
}
}]
}
)
}
Resources 📚
@nikolasburk
• Reinventing Authorization: GraphQL Permission Queries (Article)
https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/
• Error-Handling in GraphQL (Specification)
https://facebook.github.io/graphql/#sec-Errors
• Authorization in GraphQL (Discussion)
https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/
• Authentication and Error Handling in GraphQL (Video)
https://www.youtube.com/watch?v=xaorvBjCE7A&t=223s
Community 🙌
• slack.graph.cool (> 2500 members)
• GraphQL Weekly Newsletter
• GraphQL Radio Podcast
@nikolasburk
We’re hiring!
www.graph.cool/jobs
@nikolasburk
Thank you! 🙇
… any questions?
@nikolasburk

More Related Content

What's hot

What's hot (20)

Austin Day of Rest - Introduction
Austin Day of Rest - IntroductionAustin Day of Rest - Introduction
Austin Day of Rest - Introduction
 
GraphQL with Spring Boot
GraphQL with Spring BootGraphQL with Spring Boot
GraphQL with Spring Boot
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
 
Beautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonBeautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with Ion
 
The Lonesome LOD Cloud
The Lonesome LOD CloudThe Lonesome LOD Cloud
The Lonesome LOD Cloud
 
Creating 3rd Generation Web APIs with Hydra
Creating 3rd Generation Web APIs with HydraCreating 3rd Generation Web APIs with Hydra
Creating 3rd Generation Web APIs with Hydra
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 
Linked Data Fragments
Linked Data FragmentsLinked Data Fragments
Linked Data Fragments
 
[DevCrowd] GraphQL - gdy API RESTowe to za mało
[DevCrowd] GraphQL - gdy API RESTowe to za mało[DevCrowd] GraphQL - gdy API RESTowe to za mało
[DevCrowd] GraphQL - gdy API RESTowe to za mało
 
On the Persistence of Persistent Identifiers of the Scholarly Web
On the Persistence of Persistent Identifiers of the Scholarly WebOn the Persistence of Persistent Identifiers of the Scholarly Web
On the Persistence of Persistent Identifiers of the Scholarly Web
 
RESTful Web API and MongoDB go for a pic nic
RESTful Web API and MongoDB go for a pic nicRESTful Web API and MongoDB go for a pic nic
RESTful Web API and MongoDB go for a pic nic
 
DBpedia's Triple Pattern Fragments
DBpedia's Triple Pattern FragmentsDBpedia's Triple Pattern Fragments
DBpedia's Triple Pattern Fragments
 
Live DBpedia querying with high availability
Live DBpedia querying with high availabilityLive DBpedia querying with high availability
Live DBpedia querying with high availability
 
The Future is Federated
The Future is FederatedThe Future is Federated
The Future is Federated
 
Sustainable queryable access to Linked Data
Sustainable queryable access to Linked DataSustainable queryable access to Linked Data
Sustainable queryable access to Linked Data
 
Kql and the content search web part
Kql and the content search web part Kql and the content search web part
Kql and the content search web part
 
Initial Usage Analysis of DBpedia's Triple Pattern Fragments
Initial Usage Analysis of DBpedia's Triple Pattern FragmentsInitial Usage Analysis of DBpedia's Triple Pattern Fragments
Initial Usage Analysis of DBpedia's Triple Pattern Fragments
 
Querying datasets on the Web with high availability
Querying datasets on the Web with high availabilityQuerying datasets on the Web with high availability
Querying datasets on the Web with high availability
 
Log File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkitLog File Analysis: The most powerful tool in your SEO toolkit
Log File Analysis: The most powerful tool in your SEO toolkit
 
Semantic web: An overview
Semantic web: An overviewSemantic web: An overview
Semantic web: An overview
 

Similar to Authentication, Authorization & Error Handling with GraphQL

The Flash Facebook Cookbook - FlashMidlands
The Flash Facebook Cookbook - FlashMidlandsThe Flash Facebook Cookbook - FlashMidlands
The Flash Facebook Cookbook - FlashMidlands
James Ford
 
Spark and MongoDB
Spark and MongoDBSpark and MongoDB
Spark and MongoDB
Norberto Leite
 
Enter the app era with ruby on rails (rubyday)
Enter the app era with ruby on rails (rubyday)Enter the app era with ruby on rails (rubyday)
Enter the app era with ruby on rails (rubyday)
Matteo Collina
 

Similar to Authentication, Authorization & Error Handling with GraphQL (20)

JSON-LD: JSON for Linked Data
JSON-LD: JSON for Linked DataJSON-LD: JSON for Linked Data
JSON-LD: JSON for Linked Data
 
GraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learnedGraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learned
 
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsHydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
 
GraphQL - when REST API is not enough - lessons learned
GraphQL - when REST API is not enough - lessons learnedGraphQL - when REST API is not enough - lessons learned
GraphQL - when REST API is not enough - lessons learned
 
Overview of GraphQL & Clients
Overview of GraphQL & ClientsOverview of GraphQL & Clients
Overview of GraphQL & Clients
 
BruJUG Brussels GraphQL when RESR API is to less - lessons learned
BruJUG Brussels GraphQL when RESR API is to less - lessons learnedBruJUG Brussels GraphQL when RESR API is to less - lessons learned
BruJUG Brussels GraphQL when RESR API is to less - lessons learned
 
Better APIs with GraphQL
Better APIs with GraphQL Better APIs with GraphQL
Better APIs with GraphQL
 
Elasticsearch for SQL Users
Elasticsearch for SQL UsersElasticsearch for SQL Users
Elasticsearch for SQL Users
 
Document Model for High Speed Spark Processing
Document Model for High Speed Spark ProcessingDocument Model for High Speed Spark Processing
Document Model for High Speed Spark Processing
 
HyperGraphQL
HyperGraphQLHyperGraphQL
HyperGraphQL
 
GraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learnedGraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learned
 
GraphQL Schema Stitching with Prisma & Contentful
GraphQL Schema Stitching with Prisma & ContentfulGraphQL Schema Stitching with Prisma & Contentful
GraphQL Schema Stitching with Prisma & Contentful
 
The Flash Facebook Cookbook - FlashMidlands
The Flash Facebook Cookbook - FlashMidlandsThe Flash Facebook Cookbook - FlashMidlands
The Flash Facebook Cookbook - FlashMidlands
 
Spark and MongoDB
Spark and MongoDBSpark and MongoDB
Spark and MongoDB
 
GraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learnedGraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learned
 
Building and deploying GraphQL Servers with AWS Lambda and Prisma I AWS Dev D...
Building and deploying GraphQL Servers with AWS Lambda and Prisma I AWS Dev D...Building and deploying GraphQL Servers with AWS Lambda and Prisma I AWS Dev D...
Building and deploying GraphQL Servers with AWS Lambda and Prisma I AWS Dev D...
 
AMS, API, RAILS and a developer, a Love Story
AMS, API, RAILS and a developer, a Love StoryAMS, API, RAILS and a developer, a Love Story
AMS, API, RAILS and a developer, a Love Story
 
GraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learnedGraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learned
 
GraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learnedGraphQL - when REST API is to less - lessons learned
GraphQL - when REST API is to less - lessons learned
 
Enter the app era with ruby on rails (rubyday)
Enter the app era with ruby on rails (rubyday)Enter the app era with ruby on rails (rubyday)
Enter the app era with ruby on rails (rubyday)
 

More from Nikolas Burk

More from Nikolas Burk (8)

Next-generation API Development with GraphQL and Prisma
Next-generation API Development with GraphQL and PrismaNext-generation API Development with GraphQL and Prisma
Next-generation API Development with GraphQL and Prisma
 
Code-first GraphQL Server Development with Prisma
Code-first  GraphQL Server Development with PrismaCode-first  GraphQL Server Development with Prisma
Code-first GraphQL Server Development with Prisma
 
GraphQL & Prisma from Scratch
GraphQL & Prisma from ScratchGraphQL & Prisma from Scratch
GraphQL & Prisma from Scratch
 
Managing GraphQL servers with AWS Fargate & Prisma Cloud
Managing GraphQL servers  with AWS Fargate & Prisma CloudManaging GraphQL servers  with AWS Fargate & Prisma Cloud
Managing GraphQL servers with AWS Fargate & Prisma Cloud
 
Building GraphQL Servers with Node.JS & Prisma
Building GraphQL Servers with Node.JS & PrismaBuilding GraphQL Servers with Node.JS & Prisma
Building GraphQL Servers with Node.JS & Prisma
 
The GraphQL Ecosystem in 2018
The GraphQL Ecosystem in 2018The GraphQL Ecosystem in 2018
The GraphQL Ecosystem in 2018
 
State Management & Unidirectional Data Flow
State Management & Unidirectional Data FlowState Management & Unidirectional Data Flow
State Management & Unidirectional Data Flow
 
Getting Started with Relay Modern
Getting Started with Relay ModernGetting Started with Relay Modern
Getting Started with Relay Modern
 

Recently uploaded

Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
drm1699
 

Recently uploaded (20)

Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 

Authentication, Authorization & Error Handling with GraphQL