Panel Discussion: Authorization

This ad is not shown to multipass and full ticket holders
React Summit
React Summit 2025
June 13 - 17, 2025
Amsterdam & Online
The biggest React conference worldwide
Learn More
In partnership with Focus Reactive
Upcoming event
React Summit 2025
React Summit 2025
June 13 - 17, 2025. Amsterdam & Online
Learn more
Bookmark
Rate this content

Taz Singh - Moderator


Panelists:

Tanmai Gopal

Ankita Masand

Jonny Green

Sam Scott

FAQ

The 90-90 rule mentioned by Taz Singh in software development refers to spending the first 90% of the time building the server and the last 10% on writing authorization rules, which paradoxically takes up another 90% of the time.

Guild.IO approaches GraphQL authorization by implementing role-based and attribute-based access checks. They ensure that users are authenticated and have the appropriate roles before accessing sensitive data, like hotel bookings or financial information.

Role-based access control (RBAC) assigns permissions based on user roles within an organization, allowing access to resources based on those roles. Attribute-based access control (ABAC) grants permissions based on policies that combine multiple attributes of users and resources, offering more granular access control.

Common challenges include managing the complexity of permissions as schemas evolve, ensuring data security while maintaining efficient data access and handling, and integrating authorization seamlessly with existing data systems without impacting performance.

Hasura handles GraphQL authorization using a built-in policy engine inspired by database systems with Row Level Security (RLS). This model allows specifying authorization policies at the model level, ensuring consistent application of security rules across all queries that touch the model.

The panel discusses several strategies including returning null for unauthorized fields, using GraphQL errors to indicate unauthorized access, and implementing role-based schema visibility where users only see parts of the schema they are authorized to access.

Organizations ensure consistency by using centralized roles and privilege management systems to define what actions a user can perform, which are validated both on the frontend for user experience and on the backend for security.

Tanmai Gopal
Tanmai Gopal
Taz Singh
Taz Singh
Ankita Masand
Ankita Masand
Jonny Green
Jonny Green
Sam Scott
Sam Scott
43 min
10 Dec, 2021

Comments

Sign in or register to post your comment.
Video Summary and Transcription
Founder introduces GraphQL server authorization panel with experts. Ankita details role-based, attribute-based, and data-based access checks in GraphQL authorization. Ankita and Johnny discuss authorization approaches in federated systems. Sam shares insights on working with GraphQL authorization at Oso. Handling authorization at the gateway. Oso works on a framework for authorization, collaborating with various entities, including Wayfair, on GraphQL authorization practices. Exploring the challenges of GraphQL authorization and the model of authorization policy engine in Hasura, inspired by database security measures like RLS, offering a centralized approach to authorization policies at the model level. Exploring GraphQL model-level authorization policies and the complexity of aligning authorization in GraphQL servers efficiently, including various access control models like RBAC, ABAC, PBAC, and challenges of the N plus one problem in data retrieval. Exploring challenges in fetching lists of items efficiently in GraphQL, requiring authorization checks to be pushed down to the persistence layer for scalability and improved performance. Efficiency gains in GraphQL servers by evaluating authorization rules at the database layer and pushing policies into SQL filters for performance and data safety. Efficiency gains by integrating model-level policies with predicate pushdown for closely coupled data fetching and authorization. Efficiency gains through applying read-only filters at the data layer to ensure authorized data retrieval and prevent data leakage. Efficiency through configuration-focused approach in GraphQL authorization ensures coherent and consistent protection of schema entities using RBAC system. Efficient data authorization through batch checks at the data source level to prevent repetitive resolver-level validations for improved efficiency in GraphQL authorization. Unauthorized access management in GraphQL servers involves determining how to handle unauthorized actions, whether through nullable schemas, GraphQL errors, or failing the operation. Different strategies exist, from straightforward error reporting to nuanced error conventions for UI decisions and user permissions. The approach to authorization error handling varies, with considerations for simplicity, data exposure conventions, and user experience implications. Different levels of authorization in GraphQL, from data to schema, impact user and developer experiences. Implementing row-level read filters can hide inaccessible data entirely, preventing potential authorization vulnerabilities. Handling unauthorized actions may involve returning errors for user guidance and system integrity. Utilizing role-based schemas restrict data visibility to authorized users, enhancing data security and user privacy. Business logic errors in schemas and data levels ensure clear communication of authorization status without leaking sensitive information like data existence. Data-side visibility concerns include handling 404 errors and unauthorized mutation attempts. Defaulting to nullable fields and enforcing non-null values only for essential cases ensure data integrity and error handling. Role-based schemas restrict data access based on user roles, enhancing security and privacy without exposing unauthorized data access. The GraphQL schema is composed based on user roles, restricting access to specific fields. Introspection queries for different roles ensure selective data exposure in the schema. GraphQL clients handling authorization and unauthorized states. Suggestions for dealing with nullable fields and error handling. Front end logic for role-based actions and avoiding duplication. APIs for user permissions and roles. Microservice roles and privileges for front end authorization. Importance of backend checks in GraphQL authorization. Importance of backend checks for authorization. Role-based schemas for GraphQL API accuracy. Embedding metadata for understanding privileges and scopes. Metadata for understanding privileges and consistency. Using entitlements model for UI components. Documentation-driven approach with schema and role evolution. Simplifying schema evolution for role-based permissions.

1. Introduction to Authorization Panel

Short description:

Hey, everyone! I'm Taz Singh, the founder of Guild IO, and I'm excited to be joined by a group of experts for this authorization panel. Building a GraphQL server involves spending 90% of the time on the server itself and the remaining 10% on writing the authorization rules. Today, we will deep dive into this topic and have a discussion with Ankita, Johnny, Sam, and Tanmay. Join us in the discussion room for more interaction.

Awesome. Hey, everyone! I'm Taz Singh, and I'm the founder of Guild IO. I'm happy that you're joining us today for this authorization panel. It's probably one of my favorite parts of building a GraphQL server. I feel like it's one of those parts where it kind of follows the 90-90 rule of software development, which if you aren't familiar with that, it's where you spend the first 90% of your time building a GraphQL server. And the last 10% is spent writing the authorization rules, which counts for the other 90% of the time writing a GraphQL server. Therefore, I couldn't be more thrilled to deep dive on this topic with you today, and I couldn't be happier to be joined by this group of experts on this topic. I'd like to start with Ankita from Treebo, Johnny from Unity Technologies, Sam, the co-founder at Oso, and Tanmay, the CEO of Azura. After this, we're going to have a discussion room on this topic, so if you have any questions for today's panelists or just want to chat or hang out, feel free to join us in the discussion room and we'd love to talk to you more there.

1. Understanding GraphQL Authorization

Short description:

Founder introduces GraphQL server authorization panel with experts. Ankita details role-based, attribute-based, and data-based access checks in GraphQL authorization.

Awesome. Hey, everyone. I'm Taz Singh and I'm the founder of Guild.IO. I'm happy that you're joining us today for this authorization panel. It's probably one of my favorite parts of building a GraphQL server. I feel like it's one of those parts where it kind of follows a 90-90 rule of software development, which if you aren't familiar with that is where you spent the first 90% of your time building a GraphQL server. And the last 10% is spent writing the authorization rules, which counts for the other 90% of the time writing a GraphQL server. Therefore, I couldn't be more thrilled to deep dive in this topic with you today. And I couldn't be happier to be joined by this group of experts on this topic.

I'd like to start with Ankita from Tribo, Jonny from Unity Technologies, Sam, the co-founder at Osso, and Tanmay, the CEO of Hasura. After this, we're going to have a discussion room on this topic. So if you have any questions for today's panelists, or just want to chat or hang out, feel free to join us in the discussion room and we'd love to talk to you more there. But without further ado, let's dive into our first question, because I'm sure you'd love to hear from the panelists instead of hearing from me. So let's go around and talk about how each of you have worked with GraphQL authorization, just to kind of set the stage and provide some ideas for the panel, some topics of discussion we can talk about. So let's start with Ankita.

So Ankita, can you describe how you work with GraphQL authorization? Yeah, sure. Hi. Hi, everyone. So to start with, we have two kinds of data, one that is publicly accessible. For example, hotel name, location, email, contact. This is just a small piece of graph and you can access this even if you're not authenticated. This other piece of data like bookings done on a hotel or you creating a booking, finance rated information of a hotel. To view this information, you should be authenticated and you should have a required role on this particular hotel, right? So we first check all these role-based access, they are on the GraphQL layer. We check if you have a valid role in the system and then we allow you to go to the GraphQL layer. Otherwise, we'll error out the entire operation in the context object itself saying that you're not authorized.

Also, to solve for insecure direct object reference, which means that you are a valid authenticated user and you are authorized to access the details of Hotel A, but you are not authorized to access details of Hotel B, which means that you have to check role this user on a resource, right? These are all role based access. And next comes is attribute based access, which means a user has certain permissions to, let's say, you know, take an example of, like we say, you don't have access to create a booking on a hotel. These kinds of checks we have on GraphQL fields. The third type of authorization checks that we have in our system is data based access checks, which means that you can refund an amount, but how much you can refund it depends on some particular business logic. Now this business logic is in the backend services.

QnA

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

From GraphQL Zero to GraphQL Hero with RedwoodJS
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
Top Content
Tom Pressenwurter introduces Redwood.js, a full stack app framework for building GraphQL APIs easily and maintainably. He demonstrates a Redwood.js application with a React-based front end and a Node.js API. Redwood.js offers a simplified folder structure and schema for organizing the application. It provides easy data manipulation and CRUD operations through GraphQL functions. Redwood.js allows for easy implementation of new queries and directives, including authentication and limiting access to data. It is a stable and production-ready framework that integrates well with other front-end technologies.
Local State and Server Cache: Finding a Balance
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
Top Content
This Talk discusses handling local state in software development, particularly when dealing with asynchronous behavior and API requests. It explores the challenges of managing global state and the need for actions when handling server data. The Talk also highlights the issue of fetching data not in Vuex and the challenges of keeping data up-to-date in Vuex. It mentions alternative tools like Apollo Client and React Query for handling local state. The Talk concludes with a discussion on GitLab going public and the celebration that followed.
Batteries Included Reimagined - The Revival of GraphQL Yoga
GraphQL Galaxy 2021GraphQL Galaxy 2021
33 min
Batteries Included Reimagined - The Revival of GraphQL Yoga
Envelope is a powerful GraphQL plugin system that simplifies server development and allows for powerful plugin integration. It provides conformity for large corporations with multiple GraphQL servers and can be used with various frameworks. Envelope acts as the Babel of GraphQL, allowing the use of non-spec features. The Guild offers GraphQL Hive, a service similar to Apollo Studio, and encourages collaboration with other frameworks and languages.
Rock Solid React and GraphQL Apps for People in a Hurry
GraphQL Galaxy 2022GraphQL Galaxy 2022
29 min
Rock Solid React and GraphQL Apps for People in a Hurry
The Talk discusses the challenges and advancements in using GraphQL and React together. It introduces RedwoodJS, a framework that simplifies frontend-backend integration and provides features like code generation, scaffolding, and authentication. The Talk demonstrates how to set up a Redwood project, generate layouts and models, and perform CRUD operations. Redwood automates many GraphQL parts and provides an easy way for developers to get started with GraphQL. It also highlights the benefits of Redwood and suggests checking out RedwoodJS.com for more information.
Panel Discussion: Future of React
React Summit US 2024React Summit US 2024
39 min
Panel Discussion: Future of React
Watch video: Panel Discussion: Future of React
Kent C. Dodds
Shruti Kapoor
Mark Erikson
Eli White
Mofei Zhang
Theo Browne
Tom Occhino
7 authors
We're going to be doing a future of React panel discussions. React 19 is in RC stage and we're excited to hear when it will be stable. The React compiler is here to stay and is the future of developer experience and tooling. React 19 brings exciting features like RSCs and consolidation of the framework. React's commitment to community and innovation is commendable. The React team values feedback and actively engages with the community. React's future includes supporting the community and enabling smooth migrations. There's a need to teach underlying concepts and educate AI systems. Teaching and adapting to React can be challenging. The React compiler changes default re-rendering behavior. Collaboration with Next.js and Vercel has been valuable for React's development. Appreciation for the community and partnerships with Vercel and Microsoft.
React 19 Panel Discussion
React Summit 2024React Summit 2024
27 min
React 19 Panel Discussion
Ryan Carniato
Evan Bacon
Sathya Gunasekaran
Tim Neutkens
Brooks Lybrand
5 authors
The Talk revolves around React 19 and the React compiler, highlighting its new APIs, optimizations, and impact on frameworks like Next.js. The React compiler has undergone multiple iterations, resulting in improved performance and alignment with developers' expectations. The integration of React with Next.js simplifies rendering and offers free optimizations. There is excitement about the opt-in approach of React Server Components and the potential of underrated features like suspense and transitions. Overall, React's influence on the JavaScript ecosystem and UI libraries is acknowledged and appreciated.

Workshops on related topic

Build a Headless WordPress App with Next.js and WPGraphQL
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
Workshop
Kellen Mace
Kellen Mace
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
Build with SvelteKit and GraphQL
GraphQL Galaxy 2021GraphQL Galaxy 2021
140 min
Build with SvelteKit and GraphQL
Top Content
Workshop
Scott Spence
Scott Spence
Have you ever thought about building something that doesn't require a lot of boilerplate with a tiny bundle size? In this workshop, Scott Spence will go from hello world to covering routing and using endpoints in SvelteKit. You'll set up a backend GraphQL API then use GraphQL queries with SvelteKit to display the GraphQL API data. You'll build a fast secure project that uses SvelteKit's features, then deploy it as a fully static site. This course is for the Svelte curious who haven't had extensive experience with SvelteKit and want a deeper understanding of how to use it in practical applications.

Table of contents:
- Kick-off and Svelte introduction
- Initialise frontend project
- Tour of the SvelteKit skeleton project
- Configure backend project
- Query Data with GraphQL
- Fetching data to the frontend with GraphQL
- Styling
- Svelte directives
- Routing in SvelteKit
- Endpoints in SvelteKit
- Deploying to Netlify
- Navigation
- Mutations in GraphCMS
- Sending GraphQL Mutations via SvelteKit
- Q&A
Relational Database Modeling for GraphQL
GraphQL Galaxy 2020GraphQL Galaxy 2020
106 min
Relational Database Modeling for GraphQL
Top Content
Workshop
Adron Hall
Adron Hall
In this workshop we'll dig deeper into data modeling. We'll start with a discussion about various database types and how they map to GraphQL. Once that groundwork is laid out, the focus will shift to specific types of databases and how to build data models that work best for GraphQL within various scenarios.
Table of contentsPart 1 - Hour 1      a. Relational Database Data Modeling      b. Comparing Relational and NoSQL Databases      c. GraphQL with the Database in mindPart 2 - Hour 2      a. Designing Relational Data Models      b. Relationship, Building MultijoinsTables      c. GraphQL & Relational Data Modeling Query Complexities
Prerequisites      a. Data modeling tool. The trainer will be using dbdiagram      b. Postgres, albeit no need to install this locally, as I'll be using a Postgres Dicker image, from Docker Hub for all examples      c. Hasura
Build and Deploy a Backend With Fastify & Platformatic
JSNation 2023JSNation 2023
104 min
Build and Deploy a Backend With Fastify & Platformatic
Top Content
WorkshopFree
Matteo Collina
Matteo Collina
Platformatic allows you to rapidly develop GraphQL and REST APIs with minimal effort. The best part is that it also allows you to unleash the full potential of Node.js and Fastify whenever you need to. You can fully customise a Platformatic application by writing your own additional features and plugins. In the workshop, we’ll cover both our Open Source modules and our Cloud offering:- Platformatic OSS (open-source software) — Tools and libraries for rapidly building robust applications with Node.js (https://oss.platformatic.dev/).- Platformatic Cloud (currently in beta) — Our hosting platform that includes features such as preview apps, built-in metrics and integration with your Git flow (https://platformatic.dev/). 
In this workshop you'll learn how to develop APIs with Fastify and deploy them to the Platformatic Cloud.
Building GraphQL APIs on top of Ethereum with The Graph
GraphQL Galaxy 2021GraphQL Galaxy 2021
48 min
Building GraphQL APIs on top of Ethereum with The Graph
Workshop
Nader Dabit
Nader Dabit
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, and other blockchains. Anyone can build and publish open APIs, called subgraphs, making data easily accessible.

In this workshop you’ll learn how to build a subgraph that indexes NFT blockchain data from the Foundation smart contract. We’ll deploy the API, and learn how to perform queries to retrieve data using various types of data access patterns, implementing filters and sorting.

By the end of the workshop, you should understand how to build and deploy performant APIs to The Graph to index data from any smart contract deployed to Ethereum.
Hard GraphQL Problems at Shopify
GraphQL Galaxy 2021GraphQL Galaxy 2021
164 min
Hard GraphQL Problems at Shopify
Workshop
Rebecca Friedman
Jonathan Baker
Alex Ackerman
Théo Ben Hassen
 Greg MacWilliam
5 authors
At Shopify scale, we solve some pretty hard problems. In this workshop, five different speakers will outline some of the challenges we’ve faced, and how we’ve overcome them.

Table of contents:
1 - The infamous "N+1" problem: Jonathan Baker - Let's talk about what it is, why it is a problem, and how Shopify handles it at scale across several GraphQL APIs.
2 - Contextualizing GraphQL APIs: Alex Ackerman - How and why we decided to use directives. I’ll share what directives are, which directives are available out of the box, and how to create custom directives.
3 - Faster GraphQL queries for mobile clients: Theo Ben Hassen - As your mobile app grows, so will your GraphQL queries. In this talk, I will go over diverse strategies to make your queries faster and more effective.
4 - Building tomorrow’s product today: Greg MacWilliam - How Shopify adopts future features in today’s code.
5 - Managing large APIs effectively: Rebecca Friedman - We have thousands of developers at Shopify. Let’s take a look at how we’re ensuring the quality and consistency of our GraphQL APIs with so many contributors.