GraphQL API Management with Kong

Hi Kong Community,

I’ve been researching the topic of managing GraphQL APIs for a few weeks and just dropped my first plugin on Github:

This is a very simple Traffic Control plugin. It measure the depth of GraphQL operations and blocks requests above an arbitrary threshold.

Before I dig further, I wanted to check with the community to get your feedbacks, thoughts or maybe learn about existing projects in this field that I missed.

So far, I could not find any API Gateway that implement policies targeting GraphQL specifically. I got inspiration from this IBM article:

Next, I want to work on implementing a query cost analysis plugin and also an operation whitelisting plugin.

Looking forward to get your feedbacks and insights on this and more generally plugin development.

Thanks,

Julien

4 Likes

Hello Julien!
At Kong we’re now starting some research to support Graphql to some extent. As in that IBM link you posted, there’s no trivial way to apply rate limiting to graphql without doing introspection of the responses, and this will slow the response time (depending to what extent the introspection is done).

The approach you are taking looks like a good middle ground.

We’d love to hear about this and other community members needs to focus/guide our future research also.

Good work!

1 Like

Thanks for the feedback Raimon, performance is definitely a major concern.
I am planning to approach it from two angles:

  1. Compare it with the existing JS implementations (as an example compare the plugin I posted with https://github.com/stems/graphql-depth-limit )

  2. Memory/CPU usage in Kong itself. Parsing and visiting large graphql queries might be an issue. Fortunately my current implementation leaves a lot of room for optimization… let’s see, no premature optimization :slight_smile:

I’m now working on Operation Whitelisting. I’ll share the output in this forum in the next few weeks.

Following on the topic of GraphQL API Management, I published a second plugin on Github:

This is a bit more complex than the previous one. I could leverage the extensibility of Kong Admin API to setup my whitelist of operations (Query/Mutation) easily.
I also forked Konga to simplify the setup. The whitelist is essentially implemented as Consumer’s credentials:

Still an early alpha version but I’m seeing a lot of potential to use Kong for GraphQL protocol.

1 Like

We just started getting into Kong, and a few months ago we got into GraphQL. Didn’t realize at the time how GraphQL could differ so much from REST APIs in distributed systems with API gateways. Are you using these plugins in production? What were your performance findings? (If you don’t mind me asking).

I was starting to consider integrated Open Policy Agent with Kong, and with GraphQL endpoints; but introspection would have to happen. And I’m not sure if ANY potential performance cost would be worth the standardization. We still have to build and a plugin that could do this and see if its significantly slower than checking authorization at the microservice. There is also the multiplied development cost per microservice and the enforcement of policies per microservice.

Thanks!