Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IDaaS at Scale - Nardoz BA

IDaaS at Scale - Nardoz BA

In recent years, we're seeing the emergence of a new form of technology scale. Today's emerging technologies - which rapidly grow to millions of users, do not sell a product or service. Instead, they build a platform on which others can create value. Yet, new platforms often fail because the design and growth strategies involved in building them are complex, resource intensive and expensive to scale. Yet, in the IAM/CIAM space, many companies are still building their own internal IDaaS platform internally, facing this massive challenge, and oftentimes failing to achieve their goals. This talk discusses the complexities, resources, and scalability challenges Auth0 has faced in creating an IDaaS platform that securely manages more than 2.5 billion logins per month. He will take a deep dive into specific scenarios including: scaling password hashing, user search and designing across multiple cloud regions among others.

Damian Schenkelman

August 15, 2019
Tweet

More Decks by Damian Schenkelman

Other Decks in Programming

Transcript

  1. IDaaS at Scale
    From 0 to 2.5B+ logins/month
    @dschenkelman

    View Slide

  2. Let's create an
    IDaaS.
    Yeah. How hard
    can it be?

    View Slide

  3. Era muy dificil
    It'd be very
    hard...
    Narrator

    View Slide

  4. Agenda
    ● Surface
    ● Scale & Reliability
    ● Hosting
    ● Extensibility
    ● Wrap-up
    ● Questions

    View Slide

  5. Compliance
    Trust
    Scale
    Reliability
    Security

    View Slide

  6. Compliance
    Features
    Trust
    Protocols
    User Management
    Search
    Scale
    Reliability
    Security
    AuthZ
    Session Management
    Identity Providers
    Anomaly Detection
    Auditing

    View Slide

  7. Compliance
    Features
    Trust
    Protocols
    User Management
    Search
    Dashboard SDKs APIs
    Scale
    Reliability
    Security
    AuthZ
    Session Management
    Identity Providers
    Anomaly Detection
    Auditing
    Docs
    Support Experience

    View Slide

  8. Compliance
    Features
    Trust
    Protocols
    User Management
    Search
    Dashboard SDKs APIs
    Scale
    Reliability
    Security
    AuthZ
    Session Management
    Identity Providers
    Anomaly Detection
    Auditing
    Docs
    Support Experience
    Extensible

    View Slide

  9. SCALE &
    RELIABILITY

    View Slide

  10. ®
    From 2014 to Now

    View Slide

  11. ®
    • Automated deployments
    • Rollout, blue/green
    • Feature flags
    • Rate limits
    • Autoscaling
    General Techniques

    View Slide

  12. Architecture

    View Slide

  13. SCALING
    IAM

    View Slide

  14. PASSWORD HASHING

    View Slide

  15. ®
    PASSWORD HASHING
    • Hash: one way, no ability to revert
    • Resource intensive
    • bcrypt: configure number of rounds
    • 2^10: ~80ms -> 12.5/sec per CPU
    • 2^12: ~320ms -> 3.125/sec per CPU

    View Slide

  16. Expected Response Times

    View Slide

  17. Actual Response Times

    View Slide

  18. Flamegraphs

    View Slide

  19. PASSWORD HASHING SERVICE
    AUTH NODE LB
    BaaS
    BaaS
    BaaS
    BaaS

    View Slide

  20. User Search

    View Slide

  21. email.domain:auth0.com
    AND logins_count:[0 TO 10}

    View Slide

  22. 2013
    Mongo as
    a database
    Expose search

    View Slide

  23. 2015
    Problems with case
    insensitive search
    No ability to search on
    metadata fields
    Move to
    Elastic Search

    View Slide

  24. 2017
    Objects
    with many
    fields
    affected ES
    Overly
    permissive
    query syntax
    Moved to
    Postgres
    Support for
    customer
    partitions
    Remove
    ability to
    perform some
    queries
    Search
    v3

    View Slide

  25. Tap Compare
    https://saucelabs.com/blog/the-why-and-how-of-tap-compare-testing

    View Slide

  26. WHERE TO HOST?

    View Slide

  27. 2014: PROVIDE OPTIONS
    ON-PREM AWS SINGLE
    TENANT
    AZURE SINGLE
    TENANT
    AWS + AZURE
    MULTI-TENANT
    MULTI-REGION

    View Slide

  28. 2017
    High cost to maintain
    another cloud provider
    Low probability
    of risk
    Decision: No
    longer Azure on
    multi tenant
    environment

    View Slide

  29. 2017: PUBLIC CLOUD AWS ONLY
    ON-PREM AWS SINGLE
    TENANT
    (Auth0 or
    Customer)
    AZURE SINGLE
    TENANT
    (Customer Only)
    AWS
    MULTI-TENANT
    MULTI-REGION

    View Slide

  30. On-Prem
    Hard to sync on updates
    Different hardware
    ● Stateful scaling
    ● Stateless scaling
    Different levels of
    access/permissions

    View Slide

  31. 2019: AWS ONLY
    AWS SINGLE
    TENANT
    (Customer Account)
    AWS
    MULTI-TENANT
    MULTI-REGION
    AWS SINGLE
    TENANT
    (Auth0 Account)

    View Slide

  32. LOCATION

    View Slide

  33. MULTIPLE
    ENVIRONMENTS
    ● Data Sovereignty
    ● Scale
    ● Latency
    ● Failure domains
    ● Price

    View Slide

  34. Environments

    View Slide

  35. EXTENSIBILITY

    View Slide

  36. WHY?
    ● Useful for product discovery
    ● Does not require changing
    core product
    ● Empowers developers to do
    integration/customization

    View Slide

  37. WHAT?
    ● Custom email providers
    ● New OAuth compliant
    identity providers
    ● Able to treat any
    database as an identity
    provider
    ● Custom actions on every
    event: login/signup/etc.

    View Slide

  38. HOW?
    ● Custom serverless
    platform
    ● Low latency
    ● No cold startup
    ● Sandbox/Isolation
    ● Limited permission set

    View Slide

  39. and
    Finally...

    View Slide

  40. Build
    Learn Measure
    The Feedback
    Loop
    Baseline
    Hypothesis
    Analyze

    View Slide

  41. Gracias
    @dschenkelman

    View Slide

  42. Te interesa?
    https://auth0.com/careers/positions?areas=Engineering

    View Slide

  43. Questions

    View Slide