Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authentication at the Edge

Andrew Betts
September 13, 2018

Authentication at the Edge

Andrew Betts

September 13, 2018
Tweet

More Decks by Andrew Betts

Other Decks in Technology

Transcript

  1. Who is this guy • Developer advocate and product manager

    at Fastly • Previously Financial Times and Nikkei (Japan) • Elected to the W3C Technical Architecture Group • Started out as an intern developer in the UK air traffic control service (NATS)
  2. • IP address • HTTP auth • Username/password • Single

    use tokens • Single-sign on / OAuth / “Login with Google” • Code generators (TOTP / 2FA) Authentication methods
  3. IP based authentication User Fastly Origin 200 OK Set-Cookie: ip_special=

    name=Helsinki%20Air... GET /home/us User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement Consult Edge Dictionary, Set upstream header GET /home/us Fastly-ID: premium-ip 200 OK Vary: Fastly-ID table ip_special { "23.65.123.7": "name=Hels..", ... } Store two variants in the cache, Set additional edge metadata using a short-lived cookie. fiddle.fastlydemo.net/fiddle/ ce76d16c
  4. Maintaining state with edge-managed cookies Identity persists as cookies: Cookie:

    auth=fgt983tgc9vtSFi w4H9asdfF Identity persists as headers: Fastly-ID: 12565 Fastly-User-Name: Andrew Vary: Fastly-ID Fastly-ID: 12565
  5. Maintaining state with edge-managed cookies fiddle.fastlydemo.net/fiddle/ c249a659 User Fastly Auth

    service Content service GET /auth 200 OK POST /auth/login 200 OK Auth-Result: VALID Auth-Data: {id:372635,level: "Subscriber",name:"Alice"} 307 Temporary redirect Location: /home Set-Cookie: auth=######### GET /home Cookie: auth=######### 200 OK Vary: Auth-Level 200 OK GET /home Auth-ID: 372635 Auth-Level: Subscriber Auth-Name: Alice Get the login form Submit the login form, get a session cookie & redirect to homepage Load homepage, get Subscriber-only version
  6. Time limited URL tokens fiddle.fastlydemo.net/fiddle/ a04d81ca User Fastly Static assets

    200 OK GET /vid.mp4?token=9734536_j f948fhw0th04htnfpbsnwp9te User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement - Check signature matches URL - Check IP / User-Agent / Referrer - Check timestamp is still valid - Strip token from URL GET /vid.mp4 200 OK
  7. Single sign on fiddle.fastlydemo.net/fiddle/ e405f025 User Fastly Auth provider Content

    service GET /login 200 OK 307 Temporary redirect Set-Cookie: auth=jsfu38vsjneruigereer... Location: /article/kittens User wants to log in Send token to Fastly, get session cookie and redirect to the article page GET https://account.google.com/sso?... GET /session?code=d8g... Negotiate with the third party, get a token GET /article/kittens GET /article/kittens Use Auth provider’s published certificates to verify the ID token
  8. • Identified • Level (basic, premium) • Group membership •

    Credit balance • Environmental/external (territorial rights, time) Authorization criteria
  9. Intersecting groups User Fastly Origin 200 OK GET /article/kittens Cookie:

    auth=iuf34t89qw9a8hvaa... Logged-in user attempts to view content. Using cookie, we can determine their groups. Because content requires a group membership that the user has, the access is allowed GET /article/kittens 200 OK Require-Groups: std-premium 7club uk eu gdpr std-premium std-premium 7club
  10. Metered paywall User Fastly Paywall service Content service GET /article/kittens

    Cookie: auth=######## 200 OK Paywall: https://.../check ?id=93535&mode=meter&level=1 200 OK Set-Cookie: p={remain:5, total:10}; max-age=10 Decode user cookie, add userid to request, restart. GET /check?id=93535&mode=meter&level=1 Auth-User: 12345 200 OK Paywall-Result: ALLOW Paywall-Meta: {remain:5, total:10} GET /article/kittens GET /article/kittens Request a protected article Restart to recover the requested article from cache Article delivered with a cookie containing paywall data for use in UI
  11. • Identity and authorization can be the most complex parts

    of your app • Many different ways to do this • Browser technologies are changing established patterns • Using edge logic improves performance and security, simplifies architecture • Try using Fastly for your identity and access use case! Summary