GraphQL is an emerging API standard that provides a more flexible and alternative approach for data intensive operations. It is particularly good for querying and retrieving data in optimized forms that make applications more efficient and optimal. While GraphQL focuses on what it does best, we still need to ensure that our GraphQL services are exposed in a secure, controlled, monitored, and sometimes even in a monetized environment. This is where the inclusion of an API gateway that understands GraphQL queries, mutations, and subscriptions can add significant value.
This deck explores the following:
- Introduction to GraphQL
- Exposing GraphQL services as managed APIs
- Authentication
- Authorization
- Rate limiting
- Invoking GraphQL APIs exposed via WSO2 API Manager
Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/exposing-graphqls-as-managed-apis/
4. GraphQL
● A query language for your API. Not a programming language.
● Ask what you need, and get exactly that.
● Developed internally by Facebook in 2012 before being publicly released
in 2015.
● Specification : https://graphql.github.io/graphql-spec/June2018/
● Reference Implementation: https://github.com/graphql/graphql-js
● Implementations of the GraphQL client, server in various languages are
available. https://graphql.org/code/
● GraphQL foundation : Airbnb, AWS, Apollo, Coursera, Facebook, GitHub,
Prisma, Shopify, IBM and Twitter
● Typically served over HTTP via a single endpoint which expresses the full
set of capabilities of the service.
5. Type System
● Defines the capabilities of an API
● All the types are exposed in an API, written
down in a language called (SDL) GraphQL
Schema Definition Language
● Contract between the client and the server.
Once it is defined, both sides are aware of
the data structure
● There are some special root types
(Query,Mutation,Subscription) - operations
11. Rest vs GraphQL (Contd)
Ex: An app needs to display the titles of the
posts of a specific user. The same screen also
displays the names of the last 3 followers of
that user. How would that situation be solved
with REST and GraphQL?
REST : Accessing multiple Endpoints
/users/<id> - Fetch initial user data
/users/<id>/posts - Fetch all the posts for a user
/users/<id>/followers - Returns a list of
followers per user.
12. Rest vs GraphQL (Contd)
GraphQL : Sends a single
query
Pass the query to the
GraphQL server that includes
the concrete data
requirements. ( The client can
specify exactly the data it
needs in a query)
13. GraphQL Strengths and Weaknesses
• No more Over-fetching and Under-fetching
• Rapid Product Iterations on the Frontend
• Insightful Analytics on the Backend
• Benefits of a Schema & Type System
• Queries send more bytes than REST
• Caching is complicated
• Server needs to do more processing
• Extra cautions for GraphQL specific attacks
15. API Management for GraphQL Services
• First class support for creating/publishing GraphQL APIs.
• Different levels of permissions for each operation.
• Different levels of rate limiting levels for each operation.
• Threat Protection ( Malicious/unintentional/Poor Queries )
• Operational Level Analytics.
17. What WSO2 APIM 3.0 Offers?
● First class support for Graphql APIs
○ Create a Graphql API by importing an SDL schema
○ Identify Graphql APIs automatically in the portals
○ Display operation list instead of resources
○ Display SDL schema instead of open API definition
○ Download option for SDL schema
○ Search option to Graphql type APIs ( type: GRAPHQL)
● Operational Level Security, Authorization and Rate limiting
19. Use Case - API Developer
Mike needs to expose the “Countries” API with the following rules
1. Continents operation needs to be authorized only for managers
2. Continents operation should be allowed for only one request per minute
3. Languages operation needs to be available for everyone
20. Jane needs to invoke Countries API which
has been published through WSO2 APIM
3.0.0 to retrieve the following.
• Code, name of all languages.
• Name of all countries,
code, name of all languages in each country
• Name of all continents,
Name of all countries in each continent,
Code, name of all languages of each
country.
Use Case - Application Developer
26. Webinars to Follow
● November 14 - API Security in a Cloud Native Era
● November 19 - Cloud Native APIs: The API Operator for Kubernetes
● November 21 - Beautifying the Beautiful: Theming WSO2 API
Manager
● December 03 - Mine Your APIs for Gold: API Monetization
● December 05 - Building a CI/CD Pipeline for APIs