GraphQL is an emerging query manipulation language for APIs. It is an open source runtime for querying and retrieving existing data in an optimal manner making applications more efficient. With the flexibility it offers over REST APIs, many organizations are now interested in and are adopting GraphQL applications widely.
While GraphQL focuses on what it does best, backend developers still worry about ensuring their GraphQL services are exposed in a secure, controlled, monitored, and sometimes, even in a monetized environment. This is where an API gateway is useful as the middle layer to provide a significant value to GraphQL queries, mutations, and subscriptions.
This slide deck will discuss the following:
- An introduction to GraphQL
- Why and when to use GraphQL APIs
- Exposing GraphQL service as managed APIs: The necessity of an API Manager
- Deploying a GraphQL service via WSO2 API Manager : Security, authentication, authorization, and rate-limiting
- Invoking GraphQL APIs via the integrated GraphiQL UI in Developer Portal
- GraphQL Analytics
Watch the webinar on-demand here: https://wso2.com/library/webinars/deploying-graphql-services-as-managed-apis/
2. Discussion Points
● Introduction to GraphQL
● Why and When to use GraphQL APIs
● Exposing GraphQL service as Managed APIs
○ The necessity of an API Manager
● Deploying a GraphQL service via WSO2 API Manager
○ Security, Authentication, Authorization, and Rate-Limiting
● Invoking GraphQL APIs via the Integrated GraphiQL UI in
Developer Portal
● GraphQL Analytics
4. GraphQL
● A query language for your APIs.
● Gives what you request, nothing more and nothing less.
● GraphQL specification is an SDL (Schema Definition Language).
● Created by Facebook in 2012 and released for open-source in 2015.
● Ability to make API calls more efficient, flexible, and developer-friendly.
● Served over HTTP via a single endpoint.
● Specification - https://spec.graphql.org/June2018/
● Reference Implementation - https://github.com/graphql/graphql-js
● Implementation support in many languages - https://graphql.org/code/
5. Products Management Service
Retailer
Id: ID
Name: String
Customer
Id: ID
Name: String
Product
Id: ID
Name: String
Category: enum (
CLOTHING
FOOTWEAR
COSMETICS
)
1
m
1 m
m m
6. Image Area
Type System
● Defines the capabilities of an API
● All the types are exposed in an API, written
down in a language called GraphQL Schema
Definition Language
● Contract between the server and the client.
Once it is defined, both sides are aware of
the data structure
● Query, Mutation, and Subscription root types
9. ● GraphQL subscriptions allow you to be notified in real-time of
changes to your data.
● In ProductsManagement service, a retailer will be notified whenever
a new Customer node is created.
Subscription
11. ● Consider the same ProductsManagement service example, where the
retailer wants to know the list of customers who ordered a particular
product.
● If you try this with REST, you need to do the following three API calls.
REST vs GraphQL
13. Image Area
REST API Call 2
Fetch the list of customers’ Ids
sending the particular product Id
(/products/<orderedProductId>/
customers)
14. Image Area
REST API Call 3
Fetch the customer specific details by
sending their Ids one by one
(/products/<orderedProductId>/
customers/<id>)
15. Image Area
GraphQL Service Call
Returns the details of a list of
customers for the particular
product with just a single query
16. Why and When to Use GraphQL
● No more over-fetching or under-fetching
● Single API call data fetching
● Auto generated documentation using GraphiQL
● Versionless API evolution
● High performance in data fetching networks
● Schema and Type System
● Not good for complex queries - Slow down performance and kill the
efficiency of GraphQL applications
● Not a perfect fit for content delivery networks - No HTTP cache support
18. The necessity of an API Manager
● First class support for creating/publishing GraphQL APIs
● Authentication and security
● Role based access control for each operation - Authorization for
GraphQL APIs
● Rate limiting GraphQL operations
● Operational level Analytics
● Detect and block malicious/unintentional/poor queries
20. First Class Support for GraphQL APIs
● Create a GraphQL API by importing an SDL schema
● Identify GraphQL APIs automatically in the Portals
● Display operation list instead of resources
● Display SDL schema instead of Open API definition
● Download option for SDL schema in Publisher and Developer Portal
● Search option to GraphQL type APIs ( type: GRAPHQL)
22. Authentication for GraphQL APIs
● APIs are mostly exposed to external users.
● Security plays a major role at this point as it is crucial to ensure that
the users who access the API operations are authentic.
● There can be some GraphQL API operations are exposed to the public;
giving access to anyone without authenticating to the system.
● WSO2 APIM provides the ability to enable or disable operational level
security at the Publisher.
● For instance, allProducts operation in ProductsAPI should be
accessible by anyone, hence the security needs to be disabled.
25. Authorization for GraphQL APIs
● The operations defined at the Graphql SDL needs to be accessed by
only a subset of users in an organization.
● Only the authorized parties should have the access.
● WSO2 APIM provides the ability to assign different levels of
permissions to the API operations using fine grained access control
with OAuth2 scopes.
● An API developer needs to distribute the privileges of “ProductsAPI”
operations among the Retailer and Customer user groups to limit
accessing the API.
27. Rate Limiting for GraphQL Operations
● There can be specific operations which can be expensive to execute.
● Therefore, allowing the same rate limits to all the operations will not be
a good idea in a production system.
● WSO2 API Manager can manage easily operational level rate limits.
● An API developer is able to set rate limiting either at operational level
or API level to manage operation based traffic.
● For example, fetching the products list should be available to anyone
limitlessly, thus has been assigned with the Unlimited value.
30. Discovering and Consuming GraphQL APIs via DevPortal
● A listing of GraphQL APIs
● Search option to GraphQL type APIs
● Categorizing
● Documentation
● Developer friendly try-out tooling
● Rating and Commenting for the APIs