GraphQL Security types in IBM API Connect
Here in this blog, we are going to learn the security types of GraphQL in IBM API Connect.
API Key:
- API keys are simple, alphanumeric codes provided to clients (applications or users) that want to access an API.
- Clients include the API key in the request headers or query parameters when making API calls.
- API keys are often used for rate limiting, access control, and tracking usage.
- They are straightforward to implement but can be less secure if not managed properly, as they can be easily shared or leaked.
Basic Authentication:
- Basic Authentication is a method where the client includes a username and password in the request headers.
- The credentials are typically Base64-encoded and sent with every API request.
- While simple to implement, Basic Authentication is not recommended for high-security scenarios unless used over HTTPS.
- It’s essential to secure the credentials and avoid sending them in plaintext.
OAuth (Open Authorization):
- OAuth is a more comprehensive and secure authorization framework for delegating access to resources without sharing sensitive credentials.
- OAuth 2.0, the most common version, involves three main roles: the resource owner, the client, and the authorization server.
- The client requests access to protected resources on behalf of the resource owner by obtaining an access token from the authorization server.
- OAuth supports various grant types, such as Authorization Code, Implicit, Client Credentials, and Password, each suited for different use cases.
- OAuth is widely used for securing APIs accessed by third-party applications, mobile apps, and web services.
GraphQL Server URL:
https://spacex-production.up.railway.app/
GraphQL schema: SpaceX-production.up.railway.app
Creation of GraphQL Proxy API in API Connect:
Step 1: Open API Manager
Step 2: Go to Resources à Oauth Providers.
Step 3: Create a new OAuth Provider, Click on add select native OAuth Provider, and give a name to the Provider.
Step 4: Now select the Grant Type,
Step 5: Select the scope
Step 6: Now go to Catalog and add the OAuth that we created now in OAuth Providers.
Step 7: In Develop click on Add, select API
Step 8: Select the option from an existing graphql server
Step 9: Give a Name and Import the GraphQL Server
- The schema will be added automatically once you import the GraphQL Server
Step 10: Now go to the security schemas and add the client ID, client secret, and Oauth2.0
Step 11: Add these 3 security parameters to the API security.
API Flow:
Testing:
Actual GraphQL Backend Testing:
Testing of Proxy GraphQL API in API Connect:
- First, generate the token
- Pass the Generated token along with the client ID and client secret while calling the Graph QL API.