Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolving Auth0's architecture: From 0 to 2.5+ billion logins per month in 5 years

Evolving Auth0's architecture: From 0 to 2.5+ billion logins per month in 5 years

In recent years, we’ve seen the emergence of a new form of technology scale. Today’s emerging technologies—which rapidly grow to millions of users—don’t sell products or services. Instead they build a platform on which others can create value. However, these new platforms often fail because the design and growth strategies involved in building them are complex, resource intensive, and expensive to scale. Despite this massive challenge, many companies in the identity and access management (IAM) and customer identity and access management (CIAM) space are still building their own IDaaS platform internally—and oftentimes failing to achieve their goals.

Damian Schenkelman dives into the complexities, resources, and scalability challenges Auth0 has faced in creating an IDaaS platform that securely manages more than 2.5 billion logins per month. You’ll explore specific scenarios including scaling password hashing, user search, and designing across multiple cloud regions, among others.

Damian Schenkelman

February 25, 2020
Tweet

More Decks by Damian Schenkelman

Other Decks in Programming

Transcript

  1. Evolving Auth0's architecture From 0 to 2.5+ billion logins per

    month in 5 years Damian Schenkelman Principal Engineer @ Auth0
  2. Auth0 User Auth0 Customer App

  3. 2014-2019

  4. Auth0 keeps going

  5. Ideal

  6. Pragmatic

  7. Lay of the land Scale Reliability Security User Management Protocols

    Session Management Authorization Anomaly Detection User Search Identity Providers Auditing Credential Stuffing Trust Pillars Features Experiences UIs Support SDKs Docs APIs
  8. Stories

  9. Environments

  10. Single Region AZ 1 AZ 2 AZ 3 AWS Region

  11. Multi Region Failover AWS Region Main AWS Region

  12. Worldwide

  13. Scale

  14. Latency

  15. Failure Domains

  16. Data Sovereignty

  17. Cost

  18. IAM

  19. User Search

  20. email.domain:auth0.com AND logins_count:[0 TO 10}

  21. plan:"pro"

  22. theme:"butterflies"

  23. 2013 MongoDB as the database Expose search

  24. “The code” if (opts.search) { var searchFilter = { $or:

    [ { name: {'$regex': opts.search, '$options': 'i'} }, { email: {'$regex': opts.search, '$options': 'i'} } ]}; queryDocument = {$and: [queryDocument, searchFilter]}; }
  25. 2015 Case insensitive performance issues Inability to search on metadata

    Move to ElasticSearch
  26. Architecture User Data Auth0 Authentication API User Store Auth0 User

    Search API Indexer Kinesis
  27. 2017 Overly permissive syntax High cardinality keys affected ES Move

    to Postgres
  28. Cardinality "zipCodes": { "98004": 1234, "98005": 5678, } "zipCodes": [

    { "value": "98004", "mapping": 1234 }, { "value": "98005", "mapping": 5678 } ]
  29. Import

  30. Search

  31. Partitioning Users Single Tenant Partition N Single Tenant Partition 1

    Multi Tenant Partition N Multi Tenant Partition 1
  32. Tap Compare https://zachholman.com/talk/move-fast-break-nothing/

  33. Password Hashing

  34. Initial Scenario Client Access Token Username + Password Auth0 Authentication

    API Auth0 Identity Provider Users Store
  35. Expected

  36. Actual

  37. Flamegraph

  38. Bcrypt Is designed to be slow…

  39. Tradeoffs

  40. Bcrypt Service

  41. End Scenario Client Access Token Username + Password Auth0 Authentication

    API Auth0 Identity Provider Users Store bcrypt service
  42. Extensibility

  43. Kernel / Userland

  44. Pipeline

  45. Pipeline

  46. Extensibility

  47. Webhooks

  48. Simple

  49. Limit resources

  50. Quarantine

  51. Pre-emptive termination

  52. Architecture Warm Pool Runtime Management API Webtask Store code +

    data response
  53. Field enablement

  54. Discovery

  55. Continuous Authentication

  56. Targeted attacks

  57. Credential Stuffing Leaked Credentials Access Attempts

  58. In Numbers

  59. Trusted IPs 129.31.55.2

  60. New device

  61. Impossible travel

  62. Impossible travel

  63. ! Impossible travel

  64. Signals

  65. Extensible const confidence = context.anomalyDetection && context.anomalyDetection.confidence || 'low'; if

    (confidence === 'low') { /* block */ } if (confidence === 'medium') { /* ask for mfa */ }
  66. Scoring Model Client Credentials Auth0 Authentication API Kinesis Logs Enhance

    Logs Kinesis Anonymized Auth Attempts Scoring Service
  67. Good behavior

  68. Bad Behavior

  69. In Conclusion

  70. None
  71. Thanks Damian Schenkelman @dschenkelman

  72. Rate this session