Why this topic matters
GraphQL and modern auth are a powerful combination because they compress discovery, object access and delegated trust into a very small interface. That makes subtle mistakes extremely scalable.
Operator checks
- Check whether introspection, schema documentation and error handling leak too much structure.
- Audit token issuance, storage, algorithm selection, key rotation and claim handling under alternate roles.
- Model OAuth and OIDC as delegated trust, not just login. Scopes, audiences and consent boundaries matter.
- Test batching, nested queries and resolver-level authorization separately from top-level route checks.
Reporting lens
Write findings in terms of trust crossed, scope enlarged and business or operational effect reached. That keeps the note useful whether you are validating a lab, an internal research target or a live customer environment.
Curated public references
- PortSwigger · GraphQLGraphQL discovery and attack patterns.
- PortSwigger · JWTToken structure and implementation failure modes.
- OpenID Connect CoreOIDC semantics and claims.