loading...
Play Button Pause Button

GraphQL API Authentication & Authorization with the AWS Amplify GraphQL Transform Library

dabit3 profile image Nader Dabit ・2 min read

Out of all of the discussions and questions I hear about GraphQL, the one thing that comes up the most is how to properly implement both authentication as well as authorization for an API.

The concern is that these are not easy problems to solve, and they must must be solved properly in order to secure the data in your database.

Depending on your GraphQL implementation, this can look very different from one API to the next. In this video, I've walked through how to add authentication to an AWS AppSync API and then use the GraphQL Transform library to implement authorization rules on the GraphQL schema.

The GraphQL Transform library provides a simple to use abstraction that helps you quickly create backends for your web and mobile applications on AWS.

Using different directives like @auth (authentication), @function (add a Lambda function resolver), and @connection (create a relationship between types) you can declaratively implement different functionality into your API.

In this video, we look at how to create an example app with two GraphQL types: Post and Note. For the Post type, we want to treat it similarly to what you might see on a blog where the owner can update and delete a post, but anyone can read it. For the Note type, we configure it so that only the person who created the note can read, update, or delete it.

After the API has been deployed, you can then further configure the resolvers as you'd like to implement business logic unique to your app.

Discussion

pic
Editor guide
Collapse
forstmeier profile image
John Forstmeier

Loved the video! We're working with Amplify and trying to set up multi-tenancy using a third-party OIDC provider (Auth0) but we're running into difficulties. Do you have any suggestions on how best to approach this? Right now I'm working on trying to maybe use the custom resolver to provide the fine-grained access control we need over different resources.