IDaaS at Scale - Nardoz BA

Transcript

1. IDaaS at Scale From 0 to 2.5B+ logins/month @dschenkelman

2. Let's create an IDaaS. Yeah. How hard can it be?

3. Era muy dificil It'd be very hard... Narrator

4. Agenda • Surface • Scale & Reliability • Hosting •

   Extensibility • Wrap-up • Questions

5. Compliance Trust Scale Reliability Security

6. Compliance Features Trust Protocols User Management Search Scale Reliability Security

   AuthZ Session Management Identity Providers Anomaly Detection Auditing

7. Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs

   Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience

8. Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs

   Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience Extensible

9. SCALE & RELIABILITY

10. ® From 2014 to Now

11. ® • Automated deployments • Rollout, blue/green • Feature flags

    • Rate limits • Autoscaling General Techniques

12. Architecture

13. SCALING IAM

14. PASSWORD HASHING

15. ® PASSWORD HASHING • Hash: one way, no ability to

    revert • Resource intensive • bcrypt: configure number of rounds • 2^10: ~80ms -> 12.5/sec per CPU • 2^12: ~320ms -> 3.125/sec per CPU

16. Expected Response Times

17. Actual Response Times

18. Flamegraphs

19. PASSWORD HASHING SERVICE AUTH NODE LB BaaS BaaS BaaS BaaS

20. User Search

21. email.domain:auth0.com AND logins_count:[0 TO 10}

22. 2013 Mongo as a database Expose search

23. 2015 Problems with case insensitive search No ability to search

    on metadata fields Move to Elastic Search

24. 2017 Objects with many fields affected ES Overly permissive query

    syntax Moved to Postgres Support for customer partitions Remove ability to perform some queries Search v3

25. Tap Compare https://saucelabs.com/blog/the-why-and-how-of-tap-compare-testing

26. WHERE TO HOST?

27. 2014: PROVIDE OPTIONS ON-PREM AWS SINGLE TENANT AZURE SINGLE TENANT

    AWS + AZURE MULTI-TENANT MULTI-REGION

28. 2017 High cost to maintain another cloud provider Low probability

    of risk Decision: No longer Azure on multi tenant environment

29. 2017: PUBLIC CLOUD AWS ONLY ON-PREM AWS SINGLE TENANT (Auth0

    or Customer) AZURE SINGLE TENANT (Customer Only) AWS MULTI-TENANT MULTI-REGION

30. On-Prem Hard to sync on updates Different hardware • Stateful

    scaling • Stateless scaling Different levels of access/permissions

31. 2019: AWS ONLY AWS SINGLE TENANT (Customer Account) AWS MULTI-TENANT

    MULTI-REGION AWS SINGLE TENANT (Auth0 Account)

32. LOCATION

33. MULTIPLE ENVIRONMENTS • Data Sovereignty • Scale • Latency •

    Failure domains • Price

34. Environments

35. EXTENSIBILITY

36. WHY? • Useful for product discovery • Does not require

    changing core product • Empowers developers to do integration/customization

37. WHAT? • Custom email providers • New OAuth compliant identity

    providers • Able to treat any database as an identity provider • Custom actions on every event: login/signup/etc.

38. HOW? • Custom serverless platform • Low latency • No

    cold startup • Sandbox/Isolation • Limited permission set

39. and Finally...

40. Build Learn Measure The Feedback Loop Baseline Hypothesis Analyze

41. Gracias @dschenkelman

42. Te interesa? https://auth0.com/careers/positions?areas=Engineering

43. Questions