►
From YouTube: GraphQL Authorization with Konnect, OPA and OIDC
Description
π Join us live to learn about how to implement authentication and authorization for GraphQL APIs using OIDC and OPA with Konnect! π€
This tutorial focuses on the solution that can solve for the Authentication and Authorization concerns at the gateway layer. We'll first authenticate users, and if authenticated, then the userβs fine-grain permissions will be evaluated to determine if the user has permission to run the incoming GraphQL request (whether the request is nested or using query variables).
π In this tutorial, you'll learn:
π How to implement authentication and authorization for GraphQL APIs using OIDC and OPA with Konnect.
π³ How to create Docker containers for Keycloak, OPA, and Kong.
π§ How to configure keycloak, OPA, and Konnect.
π How to test OPA behavior.
Join us and get started by cloning the repository and following the steps!
Can't wait to see you there!
A
A
A
What
is
happening
internet
welcome,
to
conch,
welcome
to
conch
and
if
you're
watching
us,
if
you
see
us,
meaning
that
you
either
on
the
YouTube
channel
or
in
the
Quan
LinkedIn
stream,
or
maybe
some
other
places
like
a
twitch,
or
maybe
my
personal
YouTube
channel,
which
I
also
use
to
restream
this,
because
the
more
the
merrier
more
content
and
more
people
will
see
it.
So
who
am
I?
My
name
is
Victor.
Gamof
and
I
will
be
your
host
today,
Kong
Builders,
it's
our
regular
show.
A
A
B
Hey
thanks
for
having
me
I'm
Danny
I'm
on
the
partner
engineering
team
and
I
have
been
building.
You
may
be
familiar
with
me.
I've
been
building
some
content
out
this
year
on
integrating
with
some
of
our
key
technology
Partners,
so
there's
some
API
setups
tutorials
and
using
mesh
for
a
cloud
migration
Journey.
So
thanks
for
having
me
Vic.
A
Please,
dear
people
who
are
watching
our
stream,
let
us
know
where
you're
coming
from
where
like,
if
it's
a
LinkedIn
YouTube,
just
like
write,
something
in
the
comments.
Let's
make
some
noise
and
make
sure
that
the
sound
is
great
I
hear
Danny
perfectly
I
see
Danny
also
perfectly,
and
also
we
can
you
calculate
while
we're
waiting
for
the
for
the
comments
we
can
geek
out
about
the
our
the
mechanical
keyboards.
That's
what
I
hear
Dan
is
using
what
kind
of
mechanical
keyboard
are
you
using
Danny.
B
A
A
A
A
A
A
See,
oh
merge,
hey
one
of
our
Quan
Champion
smart
simsec
hi
for
coming
in
all
right.
It's
great
that
the
people
joining
in
detailing
where
they're
coming
from
in
terms
of
like
what
platform
but
I
was
talking
about
like
a
physical
location.
What's
the
what's,
the
city
or
I,
don't
know
state
or
country
at
least
you
know
we
want
to
know
people
I
see
that
you're
coming
from
LinkedIn,
because
I
see
this
small
icon
that
says
you're
coming
from
LinkedIn.
A
While
we're
waiting
some
of
the
comments,
let
me
actually
talk
a
little
bit
about
some
house
keeping
items
so,
first
of
all,
the
important
thing
is
that
if
you
own
the
Computing
travel,
please
subscribe
to
our
YouTube
channel
or
if
you're
not
make
sure
that
your
button
looks
something
like
this.
So
I
have
enabled
a
notification,
so
I
will
not
miss
any
streams
and
I'm
subscribed.
I
would
really
appreciate-
and
Danny
also
will
appreciate
this,
because
she
posts
some
of
the
videos
regularly.
A
Speaking
about
Danish
content
like
if
you
go
to
Quran
blog,
you
can
find
multiple
cool
partnering
Integrations
with
the
different
technology
providers
like
a
red
hat
like
AWS
and
some
other
things
so
Danny.
You
can
talk
a
little
bit
about
the
stuff
that
you
do
at
the
partner
engineering.
Maybe
people
would
be.
You
know
interesting
more
about
this
stuff
people
know
everything
about
like
devrel.
Now.
What
do
you
do
at
the
partner
engineering.
B
B
If
we
need
a
openshift
certification,
we
may
go
ahead
and
do
that
and
then
once
we've
done
it,
we
kind
of
circle
back
and
start
the
kind
of
like
the
enablement
and
figure
like
letting
the
community
know
how
to
use
those
new
Integrations
or
how
to
use
those
new
certifications
out
there.
So
you
can
keep
you
know
moving
along
with
whatever
you're
doing
so
that's
a
lot
of
what
we
do.
A
So
what
I
like
to
to
say
about
the
the
partnering
stuff
Endeavor,
where
we
are
very
similar,
we're
trying
to
build
this
kind
of
integration
with
devrel?
It's
not
it's
less
formal
right
and
less
structural
with
the
with
partner
engineering,
it's
kind
of
like
official
certification,
sometimes
customers,
they
kind
of
okay.
What's
your
official
stand
on
supporting
lws
and
where's,
the
Danny
and
his
her
team
comes
into
play.
A
Hey
yep,
that's
like
we're
certified,
there's
a
paper,
so
we
can
roll.
We
can
enroll
with
this,
so
I
just
saw
like
we
have
a
people
from
France
from
Bay
Area
from
Egypt
from
Istanbul.
So
that's
a
great
geography
to
to
talk
about
this
great
keep
them
coming
all
right,
Danny.
What
we're
going
to
be
building
today
so
I
noticed
that
you
didn't
you're,
not
sharing
your
screen.
Could
you
share
your
screen
with
me,
so
we
can
bring
your
your
screen
into
the
Stream.
B
B
A
So
I
can,
let's
see
if
we
will
be
able
to
share
it.
Okay,
perfect,
we
can
see
it
and
if
you
can
make
it
a
little
bit
bigger,
so
people
can
also
see
what
you
sharing
on
this
on
the
screen.
So
people,
let
me
know
if
you,
if
it's
big
enough
for
you
to
see
this,
this
awesome
diagram
I,
would
I
would
go
a
little
bit
bigger
if
I.
A
B
B
Guys
I
know
it's
a
little
small,
but
what
we're
going
to
be
doing
today
is
we
want
to
talk
about
graphql,
API
authorization,
and
the
reason
being
is
that
we've
got
a
lot
of
customers
that
they're
starting
to
build
out
their
graphql
apis,
but
they've
also
got
rest
and
grpc
going
all
at
the
same
time,
so
they
kind
of
want
to
have
a
standard
solution
for
protecting
all
these
apis
and
Kong
can
kind
of
help.
You
do
that,
so
the
story
is
going
to
be
we're
going
to
focus
on
there's
a.
A
I
have
a
I
have
a
question
like
before
we
jump
into
this
one
like
what
what
makes
us
what
makes
it
unique
so
because
the
graphql
runs
on
top
of
HTTP
like
what's
the
you
know,
what's
the
first,
what's
the
big
deal
we
just
put,
the
whatever
coin
does
for
years
like
API
authorization,
Plug-In
or
like
oigc
plugin
things
like
that
white?
Is
you
know
something
special
about
this.
B
Graph
yeah,
that's
a
fair
question,
so
I
think
a
lot
of
us
are
really
familiar
with
securing
and
building
Access
Control
policies
for
rest
right,
but
that
object
when
you're.
Looking
at
it's
pretty
static.
It's
just
a
here
is
the
Json
object
that
I
will
accept
and
then
it's
very
easy
to
build
disassemble
and
build
Access
Control
policies.
But
what
is
the?
What
is
the
Paradigm
with
graphql?
B
We
now
want
to
take
all
of
our
rest
apis,
all
of
them
batch
them
into
one
massive
Nest
data
tree
structure
and
now-
and
you
know,
expose
that
to
our
front-end
clients
right,
whether
it
be
web
or
mobile
whatever,
and
that
so
we've
just
taken
all
the
data.
We
put
it
into
a
massive
data
tree
structure.
So
how
are
we
supposed
to
secure
it?
That's
kind
of
the
issue
that
the
community
is
facing
working.
A
Think
about
this,
when
you're
doing
the
rest
stuff,
you
can
have
a
security
on
top
on
particular
routes
or
on
top
of
particular
HTTP
methods
and
things
like
that,
but
with
graphql
you're
kind
of
limiting
around
like
one
endpoint
and
one,
it
should
be
method
and
only
based
on
the
requests
that
you
have
in
the
type
of
request.
If
it's
a
query
or
it's
a
mutation,
you
need
to
be
what
to
say
like
a
little
bit
more
aware
what
is
going
on
in
this
like
a
pipeline.
D
A
B
Yeah,
so
con
connect
we're
just
going
to
use
that
as
a
control
plane
and
to
you
know
to
deploy
our
data
plane
for
the
Gateway,
and
then
we
do
want
to
showcase
how
to
use
oidc,
in
this
case,
we'll
just
to
identify
the
user.
So
we'll
have
an
IDP
it'll
be
key
cloak
in
this
case,
just
because
it's
easy
to
deploy
but
really
I'd
any
IDP
works,
and
then
the
third
is
Opa
is
really
going
to
be
the
star
here:
open
policy
agent.
It's
a
cncf
project.
B
A
B
Yeah,
because
what
Opa
will
do
so
we'll
issue
the
jot
an
API
consumer
hits
the
Gateway
the
oidc
by
default
is
gonna
plug
in
it's
going
to
be
hit
first,
so
we're
gonna
we're
gonna
key,
close
gonna
issue
that
jot
and
then
it
goes
down
to
Opa
and
we
take
that
request
and
your
jot
if
we
send
it
over
to
the
OPA
engine.
It's
going
to
execute
your
authorization
policy
to
assess
if
your
request
and
yeah
is
good
or
about
is,
is,
can
pass
or
not,
and
then.
D
B
C
B
D
B
It
hadn't
done
the
bulk
of
the
leg
work
because
I
thought
you
were
gonna,
do
it
but
I'll
do
it.
So
what
we're
going
to
do
first
is
start
over
I've
already
got
it.
I've
already
got
eks
up
and
running
because
that
takes
you
know
15
minutes
and
then
what
I've
just
got
is
just
kubernetes
manifest
to
actually
logged
in.
B
If
I
could
do
this
right,
always
on
the
Fly
got
a
Kong
name.
Space
I've
got
key
cloak
deployed,
I've
got
the
data
plan
and
I've
got
the
OPA
engine
so
and
opa
there's
a
couple
of
way
deployment
strategies
for
it.
You
know
at
kubernetes.
It
also
will
deploys
admissions
controller,
but
we're
going
to
leverage
it
we're
not
leveraging
in
that
in
that
context,
right
now,
because
we
actually
just
want
to
be
making
calls
to
it
back
and
forth
with
the
Gateway
not
making
a
decision
as
we
insert
something
into
kubernetes.
A
B
B
So
in
Connect
I
made
a
new
runtime
group
called
Kong
Builders
just
to
keep
it
separate,
and
we
can
see.
We've
got
that
one
data
plane
connected
and
I
went
ahead
and
did
a
deck
sink
in
advance.
So
we've
got
a
Rick
and
Morty
Gateway
service
and
it's
got
a
route
Associated
to
it
called
on
path,
Rick
and
Morty,
and
we've
got
a
couple
of.
We
got
the
two
plugins
just
two
plugins
for
now
so
Opa
is
enabled
and
open
ID
connect
is
enabled
I'm
gonna
I.
A
I
wanna
I
wanna
kind
of
like
a
quickly
mention
this
to
to
people
who
to
watching
this.
So
the
reason
why
we're
using
connect
at
this
point
is
not
only
because
it
is
like
easiest
way
how
you
can
get
access
to
a
variety
of
the
plugins,
a
variety
of
the
things
that
are
available
there,
but
also
just
like
a
free
UI.
So
we
can
quickly
demonstrate
all
these
things
to
you
all
these
things
also
possible
to
do
whatever
Quantum
deployment
you're
using.
A
A
The
same
thing
would
be
applicable
if
you
just
like
switch
to
deploy
to
even
like
local
Docker
right,
if
you,
if
you
deploy
this
in
local
local
Docker,
if
you
deploy
this
in
Google
Cloud,
the
even
like
all
this
like
a
deck
file
would
be
absolutely
the
same,
because
it
will
be
working
against
connect.
So
that's
pretty
pretty
simple
thing
to
do
with
connect,
so
we
do
have
like
it's
a
it's
a
it's,
a
it's
a
managed,
Service
trial
is
enabled.
A
B
A
Yeah,
let's,
let's
do
this:
let's
try
it,
let's
see
so
that's
gonna
be
fun,
because
this
is
totally
totally
you
know.
Unprepared
and
I
am
not
afraid
to
make
fun
of
myself
with
something
not
gonna
work.
So
we
do
have
this
repository
that
we're
going
to
share
afterwards
right
now,
it's
kind
of
like
it
looks
like
this.
The
hardest
thing
for
me
would
be
probably
get
my
kubernetes
cluster.
Let's
see
if
I
have
this
nodes,
I
would
probably
it's
connected
to
my
hoop
CTX
Coupe
CTX
Coupe
CTX.
A
Get
could
get
notes,
let's
see
if
my
kubernetes
cluster
is
up
and
running.
Hopefully
it
will
be
up
and
running
in
there.
Let's
see,
is
it
still
there,
hello
hello?
So
if
my
cluster
is
not
ready,
so
we're
gonna
have
a
backup
plan
to
switch
to
to
Dennis
see
if
maybe
my
Cube
TX,
maybe
I
need
to
use
yeah.
No,
this
this
cluster
should
be
should
be
up
and
running
cloud.
A
A
D
A
B
B
B
A
C
A
B
B
B
D
C
A
B
D
A
B
Kind
of
nerve-wracking
too,
because
I
never
know
which
direction
to
go.
So
we
just
look
at
this.
We
just
look
at
this
service,
real
quick,
you
know.
If
we
go
down,
it's
got
a
host
name,
and
if
this
is
really
production
ready,
you
know
we
would
have
had
Route
53
fronting
the
load
balancer,
but
we're
just
kind
of
like
this
is
just
a
quick
start
landscape.
B
D
A
B
It's
there
it's
there.
The
point
is
it's
there
right,
moral
story,
okay,
so
so
we
right
now
what
we've
got
is
we've
just
we've
just
exposed
the
graphql
API
endpoint.
We
don't
have
anything
else
on
it,
and
so
we
want
to
kind
of
start
incrementaling
turning
things
on
when
we
turn
on
key
cloak.
So
let's
go
back
to
let's
go
back
to
connect
and
turn
on
key
cloak
I'm
going
to
close
this,
because
this
is
really
frustrating
here.
We
go.
Okay,.
C
A
B
B
Yeah,
no,
it
is
really
a
good
point,
rule
of
thumb
honestly,
because
people
can't
see
then
it's
futile,
it's
worthless.
Okay,
so
we're
gonna
enable
the
open,
ID
connect.
Plugin
I've
already
got
it
configured
because
I
had
a
deck
config
right.
Some
of
this
was
predictable,
so
I
already
got
this
guy
configured
about
where
to
where
key
cloak
is
and
how
to
make
that
call
and
everything
and
in
the
same
token,
what
I
did
in
key
cloak
is.
We
just
did
service
to
service
we're
just
pretending
like
this
is
a
machine
to
machine
for
now.
B
So
it's
not
going
to
provision
me
a
bear
token.
I've
just
got
a
I've
just
got
a
Kong
ID
service
client.
Let
me
go
to
the
list
of
the
clients,
so
I've
got
a
realm
Kong,
Kong,
ID
and
then
I
went
over
and
grabbed
his
credentials
and
I
got
the
secret.
It's
already
seated
in
insomnia
for
me,
but
that
is
formerly
what
I
did
so
now
that
I've
got
the
now
I've
got
the
oadc
plugin
enabled
formally
speaking
when
I
go
to
insomnia
and
hit
the
request.
I
don't
have
any
auth
enabled.
B
So
this
should
throw
me
a
forbidden,
yeah,
401,
unauthorized,
okay,
so
oidc
is
enabled,
but
that's
not
very,
very
exciting.
We
need
to
do
some
authorization
stuff.
So
let's
do
that
so
for
authorization
for
this
Opa
piece.
What
we
need
to
do
is
we
need.
We
need
to
actually
we're
going
to
use
a
Opia
has
rest
endpoints
to
go
ahead
and
push
up
those
policies
to
this
engine
over
here
and
we
created
a
couple
of
them
for
you,
so
we're
gonna,
we
gotta
push
up.
We
gotta
push
one
up.
First,.
D
A
D
B
A
A
A
C
B
Forwarding
is
up,
and
we've
got
three
policies
here,
so
kind
of
wanted
to
demonstrate
just
the
flexibility
you
have
so
the
first
policy.
Let's
see
if
we
can
read
it
together,
I'm
gonna
widen
this
out.
So
what
it's
going
to
do
is
just
schema
validation
for
you,
meaning
that
any
any
graphql
queries
made
in
should
be
should
match
the
abstract
syntax
tree
for
that
you've
defined
for
that
back-end,
graphql
API.
A
B
Yeah,
so
what's
going
to
happen
is
so
this
is
yeah
it's
written
in
Rigo,
which
is
there.
It
is
their
per
that
one
called
proprietary,
but
it's
the
OPA
language
itself
and
it's
intended
to
help
you
build
decision
engines,
basically
build
hierarchical
decision
policies
and
all
of
the
abstract
policy
enforcement
away
from
your
your
code
itself
right.
B
So
what
the
other
thing
that's
really
nice
about
is
we
also
have
the
concept
of
Separation
concerns
where
we
want
to
have
our
governance
teams
and
our
development
teams
to
really
have
a
little
more
collaborative
experience
and
we're
starting
to
get
a
little
bit
of
that
when
we
use
Opa,
because
you
know
we
developed
what
a
lot
of
graphql
teams
have
to
do.
Is
they
have
to
do
this
authorization
inside
their
code
base?
But
you.
B
A
B
A
B
Yeah
yeah,
honestly,
that
would
be
kind
of
a
little
nice
anyways
as
a
developer,
but
I
feel
like
even
you
know,
it
is
a
double-edged
sword.
100
agree.
At
the
same
token,
it
is
a
little
nice
that
we
can
at
least
there's
a
little
bit
more
transparency
with
Rigo
in
the
sense
that
you
know
we
have
all
of
our
policies
hosted.
You
know
version
controlled
into
git
repository
with
styra.
We're
gonna
have
a
follow-up
webinar
on
this,
but
you
know:
there's
there's
the
whole
consideration
around
building
the
policy
testing.
B
A
D
B
Coined
yeah,
okay,
so
okay,
okay,
but
so
right
here
we
actually
have
one
main
decision.
The
default
is
not
to
allow
and
then
anything
that
happens
in
here
that
comes
out
true
is
allowed.
So
the
first
thing
is:
is
it
a
public
query
and
what
I
did
here
was
just
to
check
that
what
your
realm
access
was
so
basically
checking
the
claims
in
the
jot
token,
that
was
provisioned
in
that's.
What
these
kind
of
helper
functions
do
here
is
to
parse
it
and
then
check
what
role
you
have.
B
What,
in
that
token,
so
by
default,
key
cloak
gives
everybody
this
default
rosecon.
So
it's
just
kind
of
an
easy
way
to
give
permission
to
everybody
for
quick
start
testing
and
then
the
only
other
thing
it's
going
to
do
is
just
validate
query
valid.
Oh
here,
it
is
query.
Valid
is
just
checking
that
the
incoming
query
from
input
request,
HTTP,
parse
body,
query
very
long-
is
valid
using
the
schema,
which
is
a
string
up
top.
B
D
B
Way,
I
would
say
it,
but
it's
a
built-in
function
to
basically
convert
your
query,
your
incoming
queries
and
your
schema
into
an
abject
syntax
tree
so
that
we
can.
Basically,
then
you
know,
go
from
a
string
to
a
tree
which
is
something
like
a
tree
structure,
so
we
can
start
to
Traverse
it
with
what
we
need.
So
that's,
actually
what
these
built-in
functions
are
for.
Okay,.
D
B
B
B
Yeah
yeah
definitely,
and
so
this
one
is
just
saying
like
with
this.
What
this
function
is
doing
is
just
checking
if
the
incoming
request
query
is
valid
against
the
schema,
like
basically
schema
validation
is
a
valid,
but
we're
in
the
the
next
use
cases.
We're
actually
we'll
do
some
more
advanced
use
cases,
so
we
can
see
all
the
capabilities
that
are,
you
know
that
come
with
the
built-in
functions,
so
this.
D
B
B
We
have
three
policies.
We're
just
gonna.
Do
policy
number
number
one
this?
This
is
good.
This
is
a
200,
it
wasn't
an
error.
So
when
we
go
to
an
what
else
do
we
need
to
do?
Actually
we
pushed
up
the
policy,
the
first
policy,
but
we
also
need
to
enable
Opa
plug-in
at
the
Gateway.
So
let's
go
up
to
connect.
B
D
B
B
A
B
Yeah,
so
let's
let's
go
ahead
and
cause
a
failure,
so
I'm
just
gonna
do
characters,
so
this
is
schema.
Validation
is
what
we're
testing
so
I'm
going
to
do
something
like
farts
and
you
can
see.
This
is
a
403
Forbidden.
If
we
had
turned
it
off,
actually,
let's
go
ahead
and
do
it.
Let's
turn
it
off,
just
the
plug-in.
Where
is
that,
where
the
hell
so
I'm
saying
it's
too
complicated,
let's
just
turn
off
the
plug-in.
B
B
D
A
A
The
thing
about
security
is
that
you,
you
have
to
give
attacker
or
whatever
counterpart
as
less
information
as
possible
as
a
developer.
I
think
oh
I'm,
giving
my
users
not
enough
information
in
order
them
to
resolve
this
problem.
But
here's
we're
talking
about
security.
So
when
you
give
some
additional
information
like
oh
the
schema
doesn't
exist
or
you
know
try
to
check
your
email
or
things
like
that.
You
actually
giving
more
information
in
order
to
knit
hackers
to
explore
the
the
vulnerability
of
the
system.
B
Yep
and-
and
that's
just
the
so
that's
that's
the
most
basic,
but
there's
a
lot
of
other
problems
with
it's,
not
a
problem,
but
it's
a
Nuance
with
graphql
is
well.
Let's
say:
we've
got
two
people
Vic
Danny
Danny
is
currently
the
administrator.
So
I'm
allowed
I
have
super
power
privileges,
but
Vic
does
not.
D
B
B
So
we've
got
a
second
policy
and
it's
going
to
do
it's
slightly
more
advanced.
The
second
policy
is
going
to
not
just
check
that
you're
valid,
but
every
query
and
characters
is
going
we're
going
to
get
the
abstract
syntax
tree
back,
we're
going
to
go
through
every
every
character's
query
that
comes
in,
and
we
are
going
to
check
that
the
arguments
that
they
send
in
so
this
in
this
case,
filter
character,
is
a
variable
input.
Variable
argument:
where
is
insomnia
there?
B
It
is
this
filter
character
is
actually
something
that's
intended
to
be
as
intended
to
be
an
input
into
the
into
the
query
right.
It
could
actually
could
have
made
this
more
granular.
So
if
you
wanted
to
check
name
and
status
and
check
the
value
of
these
guys
as
well,
that
would
have
been
possible.
I
I
didn't
do
it
in
this
case,
but
we
do
have
another
example
of
doing
that.
So
this
is
saying:
hey
you
can
only
you
know
if
you
have
an
input,
that's
fine,
but
the
input
needs
to
be
filter
character.
D
B
B
B
B
Kind
of
of
these
helper
functions
were
the
reason
why
so
I
would
really
recommend
getting
in
there
and
taking
a
look
at
yourself,
because
you
can
see
what's
in
the
access
token,
so
that
you
just
don't
feel
like
you're,
totally
crazy,
fun
fact,
so
that
is
number
two
and
so
just
to
refresh
like
we
didn't
Opa
provides
the
built-in
functions
for
this
partisan
verify.
So
what
it
did
was
it
first
validated
that
the
incoming
query
was
legitimate,
so
the
schema
validation
is
still
there,
but
then
we
had
some
additional
validations.
B
We
wanted
to
do
and
that's
why
we
took
this
abstract,
abstract
syntax
tree,
and
then
we
built
arguments
against
it
and
then
so
in
here
we've
got
some
helper
functions
to
go
ahead
and
help
us
with
that
parsing.
So
this
helper
function
helps
us
walk
the
abstract
contest
tree
and
look
for
the
character's
query
and
then
we've
got
another
one
for
episodes.
We
didn't
use
it
yet,
but
we'll
use
it
in
the
next
set
and
then
we've
got
parsing
out
constants
parsing
out
variables.
You
could
have
parsed
out
inputs.
So
there's
a
lot.
A
I'm
just
checking
our
chat
window
I,
don't
see
anything
specifically
striking,
so,
okay,
what
I?
What
I
usually
say
it
looks
like
is
everything
is
clear
or
nothing
is
clear
and
when
there's
a
silence,
it's
very
difficult
to
distinguish
like
which
one
is
which
so,
hopefully,
everything
is
clear
on
on
our
front
or
we
just
like
Talking
to
Ourselves,
which
is
going
to
be
depressing.
People
just
make
some
noise
in
the
comments,
if
you
still
with
us.
B
A
Everybody
right
now,
yeah,
you
have
this
policies
of
they
kind
of
built
in
into
that
sodium,
not
the
policy
schemas
built
into
the
policy,
but
you
said
that
it's
possible
to
have
some
sort
of
like
a
schema
registry
or
or
whatnot
where
this
schemas
can
be.
You
know,
stored
and
just
like
pull
this
into
the
into
the
code.
B
For
Opa,
so
what
we
actually
do
need
to,
if
we
want
to
do
that,
for
the
plug-in
we
it
can
be
an
input,
so
it
could
also
have
been
like
you
know
how
we've
got
input
request
HTTP.
We
also
input
a
lot
of
the
other
information
that
we
have
like
Gateway
service
route
methods
in
order
for
it
to
be
a
part
of
the
Opa
we
actually,
if
we
wanted
to
do
that
for
us
for
our
plugin,
we
actually
have
to
have
like
another
input
available
to
abstract.
C
A
B
Cool
feature
request:
yep
yeah
feature
request:
okay,
yeah,
so
this
last
query
we're
just
expanding
on
it,
so
everybody
still
has
access
to
execute
the
characters.
Query
type
definition,
but
it's
not.
Everybody
should
have
access
to
episodes.
Only
someone
with
fake
access,
which
is
they
should
have
a
role
called
fake,
and
nobody
actually
has
this
role
because
I
didn't
set
it
up
in
key
cloak.
So
no
one
should
be
allowed
to
do
this.
So
if
we
go
to
insomnia.
A
B
Okay,
so
now
it
failed
so
I'm
going
to
take
away
the
episode
section,
because
I
don't
have
permission
to
execute
that
and
it
should
succeed
because
yeah
just
because
I
am
only
focused
on
the
character's
query,
not
the
episodes
query
and
if
I
had
a
role
before
the
fake
key
cloak
realm
roll
and
we
use
that
client,
ID
and
secret
Pro.
It
would
have
worked
instead,
but
so
that's
that's
the
state
of
the
Affairs
of
graphql
with
Cog
and
opa.
B
A
A
D
A
A
All
right,
cool,
hide
the
comments.
Let's
see,
if
you
have
any
other
comments
here,
oh
yes
and
our
helpers
Emily
who's
in
background
sending
you
links
you
can
find
this.
The
blog
post
I
just
put
this
on
the
screen,
so
you
can
do
screenshots.
We
need
it
next
time.
We
need
to
bring
the
QR
code,
so
we
can
like
show
the
QR
codes
and,
but
you
know
think
about
this
you're
doing
this
you're
watching
this
right
now
in
your
break.
A
A
We
can
talk
this
in
a
different
case
yeah,
so
we
don't
have
access
to
this
service
like
we
cannot
change
the
source
code
of
the
service
and
but
we
will
be
able
to
restrict
access
to
the
service
by
applying
all
those
those
policies
and
that's
I,
think
that's
that's
huge
in
in
terms
of
like
protecting
your
your
apis.
Every
time
when
the
people
say
like
why
I
need
a
Gateway,
I
can
Implement
all
these
things.
Yeah.
A
It's
depends
on
the
development
cycles
that
or
like
Sprints,
rather
right
so
to
implement
certain
pieces
of
functionality,
and
you
also
want
to
be
very
reactive
and
apply
different
rules,
because
your
requirements
on
restricting
access
can
change.
You
know
over
a
matter
of
hours
and
minutes
and
you
might
not
have
a
time
to
re-implement
everything
that
you
you
have
to
so
in
this
case,
applying
those
policies
on
the
fly
like
we
did.
A
You
know
you
can
first
of
all
apply
rate
limiting
based
on
the
token
or
validation
of
the
token,
and
only
after
that
pass
it
to
say
you
have
access
to
your
service
like
this
Rick
and
Morty
service,
and
you,
as
a
provider
of
this,
may
be
paying
yourself
you're
paying
for
the
service
you're,
not
just
like
getting
this
for
free.
So
you
can
reduce
number
of
requests
that
your
users
can
get
access
to
your
to
this
API.
So
so,
basically,
the
the
possibilities
are
enormous.
A
A
Some
of
the
tutorials,
some
of
the
videos
Tech
talks,
all
these
recordings
you
can
find
here
in
the
Quant
YouTube
channel
in
in
order
to
receive
everything.
So
the
only
thing
that
you
need
to
do
is
to
subscribe
to
this
channel
enable
notification
and
everything
will
be
delivered
to
your.
You
know.
Notification
notification
screen
over
here.
A
I
would
like
to
say
thanks
to
Danny
for
agreeing
doing
this
demo
with
me
write
down
in
comments.
If
you
want
to
see
more
videos
with
Danny
talking
about
some
some
cool
stuff
and
trust
me,
she
has
a
lot
of
things
to
talk
about
and
she
has
a
lot
of
cool
demos
too
to
demonstrate
so
it's
really
depends
on
your
desire.
A
We
also
in
in
this
streams,
who
also
accepting
requests
because
there's
a
something
that
it's
not
super
polish
and
you
can
see
like
I
thought
microbes
cluster
is
always
prepared,
but
things
like
you
know
the
budgeting
and
the
unpaid
bills
for
your
Cloud
providers.
I
hit
us
and
that's
why
you
know
you
know
we
would
not
be
able
to
run
this
on
on
my
account.
Also
tricon
connect.
It's
it's
pretty
cool
thing
to
to
do
so
with
this.
Let
me
last
last
call
for
question.
A
Okay,
so
there's
a
air
box
question.
So
can
you
run
con
locally
in
container?
Yes,
of
course
you
can
and
as
always
as
a
good
YouTuber,
it's
a
good
YouTuber
I
have
a
I
have
a
video
for
that
somewhere
somewhere
here.
If
you
scroll
down
like
almost
one
of
the
First
videos
that
I
did
when
I
joined
Quan,
it
was
built
a
demo
of
running
Quant
in
in
Docker,
and
where
is
it?
Where
is
it?
Where
is
it
launch?
A
B
A
A
A
So
yep
yep
yep
yep
and
thank
you
so
much
Emily
again
for
pasting
everything
into
our
chat.
So
it's
a
good
idea
to
follow,
chat
and
see
the
comments
all
right,
so
we're
almost
at
the
time
Denny
it's
it's
always
great
to
chatting
with
you.
It's
always
great
to
collaborate
with
you
on
certain
cool
cool,
Technologies,
I
hope
your
first
experience
being
a
part
of
the
Kong
Builders
was
pleasant
and
I
hope
I
will
see
you
in.
C
A
A
Forget
to
you
know,
smash
that
like
button
and
yes
and
move
this,
as
always,
my
name
is
Victor
Gamo.
Don't
forget
to
subscribe
to
this
YouTube
channel
like
subscribe.
I
will
put
every
buttons
like
make
it
cringe,
but
you
know
you
need
to
subscribe
and
with
this
my
name
is
Victor
gamof
and,
as
always,
have
a
nice
day.