In the first part of this blog series, we began a conversation on the emerging open-source API standards GraphQL and how to apply access control to a GraphQL API. We demonstrated how to validate incoming OAuth tokens in a GraphQL service and how to filter data by identity tag. So far, we have operated from the perspective of a GraphQL resolver working in conjunction with PingFederate.
Today, in this second installment of the two-part blog series, we continue down the example path of our open banking GraphQL service and introduce another layer of authorization: user privacy management and enforcement. In order to implement this, we will introduce a data governance layer to apply dynamic user privacy preferences and fine-grained access control for our GraphQL service.