Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IDaaS at Scale - Nardoz BA

IDaaS at Scale - Nardoz BA

In recent years, we're seeing the emergence of a new form of technology scale. Today's emerging technologies - which rapidly grow to millions of users, do not sell a product or service. Instead, they build a platform on which others can create value. Yet, new platforms often fail because the design and growth strategies involved in building them are complex, resource intensive and expensive to scale. Yet, in the IAM/CIAM space, many companies are still building their own internal IDaaS platform internally, facing this massive challenge, and oftentimes failing to achieve their goals. This talk discusses the complexities, resources, and scalability challenges Auth0 has faced in creating an IDaaS platform that securely manages more than 2.5 billion logins per month. He will take a deep dive into specific scenarios including: scaling password hashing, user search and designing across multiple cloud regions among others.

Damian Schenkelman

August 15, 2019
Tweet

More Decks by Damian Schenkelman

Other Decks in Programming

Transcript

  1. Agenda • Surface • Scale & Reliability • Hosting •

    Extensibility • Wrap-up • Questions
  2. Compliance Features Trust Protocols User Management Search Scale Reliability Security

    AuthZ Session Management Identity Providers Anomaly Detection Auditing
  3. Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs

    Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience
  4. Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs

    Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience Extensible
  5. ® • Automated deployments • Rollout, blue/green • Feature flags

    • Rate limits • Autoscaling General Techniques
  6. ® PASSWORD HASHING • Hash: one way, no ability to

    revert • Resource intensive • bcrypt: configure number of rounds • 2^10: ~80ms -> 12.5/sec per CPU • 2^12: ~320ms -> 3.125/sec per CPU
  7. 2015 Problems with case insensitive search No ability to search

    on metadata fields Move to Elastic Search
  8. 2017 Objects with many fields affected ES Overly permissive query

    syntax Moved to Postgres Support for customer partitions Remove ability to perform some queries Search v3
  9. 2017 High cost to maintain another cloud provider Low probability

    of risk Decision: No longer Azure on multi tenant environment
  10. 2017: PUBLIC CLOUD AWS ONLY ON-PREM AWS SINGLE TENANT (Auth0

    or Customer) AZURE SINGLE TENANT (Customer Only) AWS MULTI-TENANT MULTI-REGION
  11. On-Prem Hard to sync on updates Different hardware • Stateful

    scaling • Stateless scaling Different levels of access/permissions
  12. 2019: AWS ONLY AWS SINGLE TENANT (Customer Account) AWS MULTI-TENANT

    MULTI-REGION AWS SINGLE TENANT (Auth0 Account)
  13. WHY? • Useful for product discovery • Does not require

    changing core product • Empowers developers to do integration/customization
  14. WHAT? • Custom email providers • New OAuth compliant identity

    providers • Able to treat any database as an identity provider • Custom actions on every event: login/signup/etc.
  15. HOW? • Custom serverless platform • Low latency • No

    cold startup • Sandbox/Isolation • Limited permission set