Más contenido relacionado La actualidad más candente (20) Similar a Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:Invent 2018 (20) Más de Amazon Web Services (20) Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication & Authorization in
GraphQL with AWS AppSync
Karthik Saligrama
Software Development Engineer
AWS Mobile
M O B 4 0 2
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from this session
Learn how to implement identity management for GraphQL apps using
• AWS AppSync
• Amazon Cognito User Pools
• Amazon Cognito Federated Identities
• AWS Identity and Access Management (AWS IAM)
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
You need
Some knowledge of
• AWS IAM policies
• Amazon Cognito User Pools
• GraphQL & AWS AppSync
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is identity management?
“Enables the right individuals to access the right
resources at the right times and for the right
reasons”
— Wikipedia
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data access patterns
• Public data access
• Private data access
• Custom data access
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Public data access
• Data is not user specific
• No restriction is imposed on the data
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Private data access
• Data can be private to a specific user
• Access to data is privileged/restricted
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom data access
• Data can be private/public
• Access to data can be privileged/restricted
• Access to data can be further guarded by application logic
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity Management
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS AppSync: Four types of authorization
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API key
Role
AWS Cloud
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Cognito User Pools
Role
AWS Cloud
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
OpenID
OpenID Connect authorizer
Role
AWS Cloud
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity
System
AWS IAM authorization
Role
AWS Cloud
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Types of authorization
• Implicit authorization
• Coarse grained authorization
• Fine grained authorization
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization
type Query {
allUsers: [User]!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization—Amazon Cognito User Pools
type Query {
allUsers: [User]!
@aws_auth(cognito-groups:["Admin"])
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization—AWS IAM authorization
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "appsync:GraphQL",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/*"
}]
}
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization—AWS IAM authorization
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "appsync:GraphQL",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/*"
},{
"Effect": "Deny",
"Action": "appsync:GraphQL",
"Resource": "arn:aws:appsync:*:*:apis/*/types/Query/fields/allUsers"
}]
}
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coarse grained authorization—Using mapping templates
#if(!$context.request.headers.get(‘x-api-key’) == “<some api key>”)
//do some task
#else
$utils.unauthorized()
#end
#if(!$context.identity.username == “<username>”)
//do some task
#else
$utils.unauthorized()
#end
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
• Using data access control of underlying data sources
• Using intelligent schema design patterns
• Pipeline resolvers
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
{
"version" : "2017-02-28",
"operation" : "Query",
"index" : ”role-index",
"query" : {
"expression": ”contains(role, :role)",
"expressionValues" : {
":role" : {
"S":"ADMIN"
}
}
},
"nextToken": $util.toJson($util.defaultIfNullOrEmpty($ctx.args.after, null)),
}
Using data access control of underlying data sources
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
{
"version":"2017-02-28",
"operation":"GET",
"path":"/id/post/_search",
"params":{
"headers":{},
"queryString":{},
"body":{
"from":0,
"size":50,
"query":{
"term" :{
”role":”ADMIN"
}
}
}
}
}
Using data access control of underlying data sources
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
{
"version": "2018-05-29",
"statements": [
"SELECT * FROM Users u WHERE u.id = :ID AND EXISTS (SELECT
id FROM UserRole r WHERE r.id = :RID AND r.role = 'ADMIN')"
],
"variableMap": {
":ID": "$ctx.args.id",
":RID" : "$ctx.identity.sub"
}
}
Fine grained data access control
Using data access control of underlying data sources
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Id firstName
1 Nadia
2 Shaggy
3 Pancho
UserId Role
1 ADMIN
2 USER
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
type Query {
adminGetUserDetails(id: ID!): User!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [User!]!
}
type Query {
adminGetUserDetails(id: ID!): UserData!
me: User!
}
type User {
id: ID!
firstName: String!
lastName: String!
bffs: [UserData!]!
}
type UserData {
id : ID!
user: User!
}
Using intelligent schema design patterns
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Using intelligent schema design patterns
Id firstName
1 Nadia
2 Shaggy
3 Pancho
UserId Role
1 ADMIN
2 USER
query {
adminGetUserDetails (id: “1”) {
user {
firstName
lastName
}
}
}
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Pipeline resolvers
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
• Reusable/composable auth across all resolvers
• No schema restructuring needed
• No leaky abstraction
Pipeline resolvers
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Pipeline resolvers
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Pipeline resolvers
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained data access control
Pipeline resolvers
query {
adminGetUserDetails(id: "1") {
id
firstName
}
}
UserId Role
1 ADMIN
2 USER
Id firstName
1 Nadia
2 Shaggy
3 Pancho
{
"data":{
"adminGetUserDetails":{
"id":"1",
"firstName":"Nadia"
}
}
}
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Useful tips
1. Keep authorization logic simple
2. Keep your functions lean
3. Functions are reusable, take advantage of them
4. Be mindful of limits
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
• https://hackernoon.com/tackling-user-authorization-in-graphql-with-
aws-appsync-7886aef60b4a
• https://medium.com/open-graphql/authenticating-an-aws-appsync-
graphql-api-with-auth0-48835691810a
• https://hackernoon.com/graphql-authorization-with-multiple-data-
sources-using-aws-appsync-dfae2e350bf2
39. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Karthik Saligrama
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.