Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolving Auth0's architecture: From 0 to 2.5+ billion logins per month in 5 years

Damian Schenkelman
February 25, 2020
Programming
1
750

Evolving Auth0's architecture: From 0 to 2.5+ billion logins per month in 5 years

In recent years, we’ve seen the emergence of a new form of technology scale. Today’s emerging technologies—which rapidly grow to millions of users—don’t sell products or services. Instead they build a platform on which others can create value. However, these new platforms often fail because the design and growth strategies involved in building them are complex, resource intensive, and expensive to scale. Despite this massive challenge, many companies in the identity and access management (IAM) and customer identity and access management (CIAM) space are still building their own IDaaS platform internally—and oftentimes failing to achieve their goals.

Damian Schenkelman dives into the complexities, resources, and scalability challenges Auth0 has faced in creating an IDaaS platform that securely manages more than 2.5 billion logins per month. You’ll explore specific scenarios including scaling password hashing, user search, and designing across multiple cloud regions, among others.

Damian Schenkelman

February 25, 2020
Tweet

More Decks by Damian Schenkelman

See All by Damian Schenkelman
Identidad en Web3
dschenkelman
0
260
Demo Identidad en Web3
dschenkelman
1
120
Deep Dive Into Google Zanzibar and its Concepts for Authorization Scenarios
dschenkelman
1
1.1k
Authorization is on the rise. What if there was an API for it?
dschenkelman
0
99
All About AuthZ
dschenkelman
1
350
Remote work at Auth0
dschenkelman
0
130
El camino a SRE
dschenkelman
0
150
IDaaS at Scale - From 0 to 2.5B+ logins/month (Auth0 Webinar)
dschenkelman
0
60
IDaaS at Scale - Nardoz BA
dschenkelman
0
170

Other Decks in Programming

See All in Programming
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
670
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
700
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
2
180
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
230
SIMD Parallel Programming with the Vector API
josepaumard
0
170
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
250
"config" ってなんだ? / What is "config"?
okashoi
0
240
GitHub Copilotのススメ
marcy731
1
200
VS Code をプロダクトにどう取り込むか
onomax
1
360
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
370
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.4k

Featured

See All Featured
Facilitating Awesome Meetings
lara
42
5.6k
What the flash - Photography Introduction
edds
64
11k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Building an army of robots
kneath
300
41k
The Invisible Customer
myddelton
114
12k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
Adopting Sorbet at Scale
ufuk
68
8.6k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
Practical Orchestrator
shlominoach
182
9.7k
Happy Clients
brianwarren
92
6.4k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k

Transcript

  1. Evolving Auth0's architecture From 0 to 2.5+ billion logins per

    month in 5 years Damian Schenkelman Principal Engineer @ Auth0

  2. Auth0 User Auth0 Customer App

  3. 2014-2019

  4. Auth0 keeps going

  5. Ideal

  6. Pragmatic

  7. Lay of the land Scale Reliability Security User Management Protocols

    Session Management Authorization Anomaly Detection User Search Identity Providers Auditing Credential Stuffing Trust Pillars Features Experiences UIs Support SDKs Docs APIs

  8. Stories

  9. Environments

  10. Single Region AZ 1 AZ 2 AZ 3 AWS Region

  11. Multi Region Failover AWS Region Main AWS Region

  12. Worldwide

  13. Scale

  14. Latency

  15. Failure Domains

  16. Data Sovereignty

  17. Cost

  18. IAM

  19. User Search

  20. email.domain:auth0.com AND logins_count:[0 TO 10}

  21. plan:"pro"

  22. theme:"butterflies"

  23. 2013 MongoDB as the database Expose search

  24. “The code” if (opts.search) { var searchFilter = { $or:

    [ { name: {'$regex': opts.search, '$options': 'i'} }, { email: {'$regex': opts.search, '$options': 'i'} } ]}; queryDocument = {$and: [queryDocument, searchFilter]}; }

  25. 2015 Case insensitive performance issues Inability to search on metadata

    Move to ElasticSearch

  26. Architecture User Data Auth0 Authentication API User Store Auth0 User

    Search API Indexer Kinesis

  27. 2017 Overly permissive syntax High cardinality keys affected ES Move

    to Postgres

  28. Cardinality "zipCodes": { "98004": 1234, "98005": 5678, } "zipCodes": [

    { "value": "98004", "mapping": 1234 }, { "value": "98005", "mapping": 5678 } ]

  29. Import

  30. Search

  31. Partitioning Users Single Tenant Partition N Single Tenant Partition 1

    Multi Tenant Partition N Multi Tenant Partition 1

  32. Tap Compare https://zachholman.com/talk/move-fast-break-nothing/

  33. Password Hashing

  34. Initial Scenario Client Access Token Username + Password Auth0 Authentication

    API Auth0 Identity Provider Users Store

  35. Expected

  36. Actual

  37. Flamegraph

  38. Bcrypt Is designed to be slow…

  39. Tradeoffs

  40. Bcrypt Service

  41. End Scenario Client Access Token Username + Password Auth0 Authentication

    API Auth0 Identity Provider Users Store bcrypt service

  42. Extensibility

  43. Kernel / Userland

  44. Pipeline

  45. Pipeline

  46. Extensibility

  47. Webhooks

  48. Simple

  49. Limit resources

  50. Quarantine

  51. Pre-emptive termination

  52. Architecture Warm Pool Runtime Management API Webtask Store code +

    data response

  53. Field enablement

  54. Discovery

  55. Continuous Authentication

  56. Targeted attacks

  57. Credential Stuffing Leaked Credentials Access Attempts

  58. In Numbers

  59. Trusted IPs 129.31.55.2

  60. New device

  61. Impossible travel

  62. Impossible travel

  63. ! Impossible travel

  64. Signals

  65. Extensible const confidence = context.anomalyDetection && context.anomalyDetection.confidence || 'low'; if

    (confidence === 'low') { /* block */ } if (confidence === 'medium') { /* ask for mfa */ }

  66. Scoring Model Client Credentials Auth0 Authentication API Kinesis Logs Enhance

    Logs Kinesis Anonymized Auth Attempts Scoring Service

  67. Good behavior

  68. Bad Behavior

  69. In Conclusion

  70. None

  71. Thanks Damian Schenkelman @dschenkelman

  72. Rate this session