We’re using auth0 as an identity provider with Apollo Client connecting to Apollo Server [nodejs] and gqlgen [go] backends. To a limited extend, we are using auth0 to manage authorization for some of the graphql access as well by passing roles, permissions, and identity down the context to the resolvers.
There has been friction at three levels of the process:
- Infrastructure - AWS Lambda / API & custom authorizers
- GraphQL itself is great, but has its own set of issues primarily around authorization
- auth0 - I would say this has been the most transparent. Parsing the jwt and running it through the various middlewares is similar to our pre-auth0 implementations and didn’t requite too many changes.
Going forward, most of our effort will revolve around how we want to handle RBAC - how much we want to use auth0’s roles, how we work around some of the limitations in AWS custom authorizers, etc.
Overall, it was a fairly straightforward integration. Let me know if you have any specific questions, I’d be happy to elaborate.