search

OneGraph / onegraph-blog

13 stars 1 forks source link

Introducing AuthGuardian: The simplest Auth yet! #7

Closed dwwoelfel closed 3 years ago

dwwoelfel commented 3 years ago

AuthGuardian by OneGraph - The easiest 3rd-party sign-in for your apps and APIs | Product Hunt Embed

AuthGuardian is a free service by OneGraph that lets you handle two simple - but powerful - cases:

  1. Add third-party sign-in to your client-side app. Allow users to sign into your React, Vue, Angular, etc. apps with GitHub, Twitch, Twitter, and so on and get their email, follower count, organizations, etc., all without a server
  2. Secure your server-side APIs, like your Hasura, Netlify, express.js, or Apollo servers using visually configured rules

After visually configuring all of your auth rules in the GUI, any time you ask the user to log into any service, all of your auth rules will fire, and AuthGuardian will build a JWT with your exact requirements, based on the user's data

For a quick lightning talk showing off the power of AuthGuardian, see our talk at GraphQL Asia 2020

https://youtu.be/g8pyzqXAMjE?t=147

If you're curious about why we're able to support AuthGuardian as a free service, see our pricing notes below

A Quick Client-Side Example: Open-Source Swag Store

If you were building a swag store as a JAMstack app (like Gatsby has done) to reward contributors to your open-source project. For anyone who has starred your repository, you'll offer them a 5% discount. For anyone who has committed to your repository, you'll give them a 10% discount.

Gatsby Swag Store

For your UI, you'll need your user to sign into GitHub, and you'll need three rules:

Let's see what that would look like in the AuthGuardian GUI!

Rule 1: Basic GitHub login information: username and email

If the user is logged into GitHub, populate our JWT with their GitHub login and email

If the user is logged into GitHub, populate our JWT with their GitHub login and email

And our preview of what the JWT would look like after asking a user to log into GitHub:

Result of our first AuthGuardian rule

As you can see, the rule reads naturally!

Rule 2: 5% discount for starring our repository

If the user has starred our repository, set their discount to 5% (0.05)

If the user has starred our repository, set their discount to 5% (0.05)

And again, a preview of what the JWT would look like if they were logged into GitHub and had starred our repository:

Result of our first and second AuthGuardian rule

Because the rule reads so naturally, it becomes easy to audit our auth rules

Rule 3: 10% discount for contributing to our open-source project

If the user has contributed to our repository, set their discount to 10% (0.1)

If the user has contributed to our repository, set their discount to 10% (0.1)

And a final preview of what our user's JWT will look like with all three rules running if they've contributed to our repository:

Result of all of our AuthGuardian rule

Done in under 2 minutes!

Secure your GraphQL or REST servers

AuthGuardian has packages that allow you to apply field-level authorization rules for Apollo servers. Let's say you have a bunch of Egghead pro tips that are most useful for Egghead.io Pro members, and you want to make sure that your API only allows access to those tips to authorized pro Eggheads.

You'll add the onegraph-apollo-server-auth to your package and follow the setup, and then your schema definition is simply:

directive @hasRole(oneOf: [String!]) on QUERY | FIELD_DEFINITION

type Query {
  tips: [EggheadProTips]
}

type EggheadProTips {
  id: String!
  name: String!
  coolEggheadSecrets: [String!] @hasRole(oneOf: ["eggheader"])
}

And given these rules on AuthGuardian (that can work alongside the rules for the client - one JWT will work with multiple services!)

Restricting our protips to Egghead pro members

And the resulting JWT:

Result of our AuthGuardian eggheader rule

That's it, your Apollo server is setup with authorization!

Eject to plain GraphQL and JavaScript if your app needs

As we expand OneGraph, AuthGuardian will naturally pick up new data sources and effects. But you may bump up against a case where you need more functionality than the GUI can provide.

For that, we provide an exporter function that will generate a single GraphQL query along with a snippet of JavaScript that together will - if run on every user login - produce the same JWT that AuthGuardian would have. This allows you to take control of producing JWTs with additional data source or libraries if you need to.

AuthGuardian Produces Secure JWTs

Every JWT generated by AuthGuardian is signed with a key, so tampering with the contents is impossible. After verifying the JWT payload and signature, you can always trust the contents of the JSON in your application, API, or service.

Pricing

We're releasing AuthGuardian for free for apps of all sizes!

How? OneGraph joins together dozens of APIs in a single GraphQL service that you can hit directly from the browser or mobile application. That means we've implemented - and maintain - auth across all of these services as well.

After seeing developers struggle to specify and audit fairly simple rules, we built out AuthGuardian as a light-weight addition on top of OneGraph's underlying structure - for which we have existing customers and revenue streams. That means we don't need to charge for access to AuthGuardian.

Try it out!

Try out AuthGuardian in React, Vue, Angular, or Svelte app, or your backend API today by creating a new app on OneGraph

{"source":"blog","publishedDate":1593586800000,"url":"https://www.onegraph.com/blog/2020/07/01/Introducing-AuthGuardian-The-Simplest-Auth-Yet.html"}
jonas-kgomo commented 3 years ago

great ☢ blog

edardev commented 3 years ago

🚀🚀🚀