Modern apps require special consideration for the security and privacy of user data, especially in today’s compliance-driven world. In this session, we provide some of the common use cases and design patterns to secure user data in a globally available GraphQL API, and discuss best practices for authentication and authorization in AWS AppSync.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication & Authorization in
GraphQL with AWS AppSync
Karthik Saligrama
Software Development Engineer
AWS Mobile
M O B 4 0 2

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from this session
Learn how to implement identity management for GraphQL apps using
• AWS AppSync
• Amazon Cognito User Pools
• Amazon Cognito Federated Identities
• AWS Identity and Access Management (AWS IAM)

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
You need
Some knowledge of
• AWS IAM policies
• Amazon Cognito User Pools
• GraphQL & AWS AppSync

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is identity management?
“Enables the right individuals to access the right
resources at the right times and for the right
reasons”
— Wikipedia

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data access patterns
• Public data access
• Private data access
• Custom data access

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Public data access
• Data is not user specific
• No restriction is imposed on the data

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Private data access
• Data can be private to a specific user
• Access to data is privileged/restricted

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom data access
• Data can be private/public
• Access to data can be privileged/restricted
• Access to data can be further guarded by application logic

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity Management

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS AppSync: Four types of authorization

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API key
Role
AWS Cloud

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Cognito User Pools
Role
AWS Cloud

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
OpenID
OpenID Connect authorizer
Role
AWS Cloud

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity
System
AWS IAM authorization
Role
AWS Cloud

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Types of authorization
• Implicit authorization
• Coarse grained authorization
• Fine grained authorization

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization
type Query {
allUsers: [User]!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization—Amazon Cognito User Pools
type Query {
allUsers: [User]!
@aws_auth(cognito-groups:["Admin"])
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization—AWS IAM authorization
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "appsync:GraphQL",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/*"
}]
}

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization—AWS IAM authorization
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "appsync:GraphQL",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/*"
},{
"Effect": "Deny",
"Action": "appsync:GraphQL",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/allUsers"
}]
}

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization—Using mapping templates
#if(!$context.request.headers.get(‘x-api-key’) == “<some api key>”)
//do some task
#else
$utils.unauthorized()
#end
#if(!$context.identity.username == “<username>”)
//do some task
#else
$utils.unauthorized()
#end

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
• Using data access control of underlying data sources
• Using intelligent schema design patterns
• Pipeline resolvers

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
{
"version" : "2017-02-28",
"operation" : "Query",
"index" : ”role-index",
"query" : {
"expression": ”contains(role, :role)",
"expressionValues" : {
":role" : {
"S":"ADMIN"
}
}
},
"nextToken": $util.toJson($util.defaultIfNullOrEmpty($ctx.args.after, null)),
}
Using data access control of underlying data sources

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
{
"version":"2017-02-28",
"operation":"GET",
"path":"/id/post/_search",
"params":{
"headers":{},
"queryString":{},
"body":{
"from":0,
"size":50,
"query":{
"term" :{
”role":”ADMIN"
}
}
}
}
}
Using data access control of underlying data sources

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
{
"version": "2018-05-29",
"statements": [
"SELECT * FROM Users u WHERE u.id = :ID AND EXISTS (SELECT
id FROM UserRole r WHERE r.id = :RID AND r.role = 'ADMIN')"
],
"variableMap": {
":ID": "$ctx.args.id",
":RID" : "$ctx.identity.sub"
}
}
Fine grained data access control
Using data access control of underlying data sources

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Id firstName
1 Nadia
2 Shaggy
3 Pancho
UserId Role
1 ADMIN
2 USER

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
type Query {
adminGetUserDetails(id: ID!): User!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}
type Query {
adminGetUserDetails(id: ID!): UserData!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [UserData!]!
}
type UserData {
id : ID!
user: User!
}
Using intelligent schema design patterns

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Using intelligent schema design patterns
Id firstName
1 Nadia
2 Shaggy
3 Pancho
UserId Role
1 ADMIN
2 USER
query {
adminGetUserDetails (id: “1”) {
user {
firstName
lastName
}
}
}

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Pipeline resolvers

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
• Reusable/composable auth across all resolvers
• No schema restructuring needed
• No leaky abstraction
Pipeline resolvers

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Pipeline resolvers

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Pipeline resolvers

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Pipeline resolvers
query {
adminGetUserDetails(id: "1") {
id
firstName
}
}
UserId Role
1 ADMIN
2 USER
Id firstName
1 Nadia
2 Shaggy
3 Pancho
{
"data":{
"adminGetUserDetails":{
"id":"1",
"firstName":"Nadia"
}
}
}

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Useful tips
1. Keep authorization logic simple
2. Keep your functions lean
3. Functions are reusable, take advantage of them
4. Be mindful of limits

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
• https://hackernoon.com/tackling-user-authorization-in-graphql-with-
aws-appsync-7886aef60b4a
• https://medium.com/open-graphql/authenticating-an-aws-appsync-
graphql-api-with-auth0-48835691810a
• https://hackernoon.com/graphql-authorization-with-multiple-data-
sources-using-aws-appsync-dfae2e350bf2

39. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Karthik Saligrama

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.