Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IDaaS at Scale - From 0 to 2.5B+ logins/month (Auth0 Webinar)

IDaaS at Scale - From 0 to 2.5B+ logins/month (Auth0 Webinar)

In recent years, we're seeing the emergence of a new form of technology scale. Today's emerging technologies - which rapidly grow to millions of users, do not sell a product or service. Instead, they build a platform on which others can create value. Yet, new platforms often fail because the design and growth strategies involved in building them are complex, resource intensive and expensive to scale. Yet, in the IAM/CIAM space, many companies are still building their own internal IDaaS platform internally, facing this massive challenge, and oftentimes failing to achieve their goals. This talk discusses the complexities, resources, and scalability challenges Auth0 has faced in creating an IDaaS platform that securely manages more than 2.5 billion logins per month. He will take a deep dive into specific scenarios including: scaling password hashing, user search and designing across multiple cloud regions among others.

Damian Schenkelman

September 16, 2019
Tweet

More Decks by Damian Schenkelman

Other Decks in Programming

Transcript

  1. IDaaS at Scale From 0 to 2.5B+ logins/month @dschenkelman

  2. Let's create an IDaaS. Yeah. How hard can it be?

  3. Era muy dificil It'd be very hard... Narrator

  4. Agenda • Surface • Scale & Reliability • Hosting •

    Extensibility • Wrap-up • Questions
  5. Compliance Trust Scale Reliability Security

  6. Compliance Features Trust Protocols User Management Search Scale Reliability Security

    AuthZ Session Management Identity Providers Anomaly Detection Auditing
  7. Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs

    Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience
  8. Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs

    Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience Extensible
  9. SCALE & RELIABILITY

  10. ® From 2014 to Now

  11. ® • Automated deployments • Rollout, blue/green • Feature flags

    • Rate limits • Autoscaling General Techniques
  12. Architecture

  13. SCALING IAM

  14. PASSWORD HASHING

  15. ® PASSWORD HASHING • Hash: one way, no ability to

    revert • Resource intensive • bcrypt: configure number of rounds • 2^10: ~80ms -> 12.5/sec per CPU • 2^12: ~320ms -> 3.125/sec per CPU
  16. Expected Response Times

  17. Actual Response Times

  18. Flamegraphs

  19. PASSWORD HASHING SERVICE AUTH NODE LB BaaS BaaS BaaS BaaS

  20. User Search

  21. email.domain:auth0.com AND logins_count:[0 TO 10}

  22. 2013 Mongo as a database Expose search

  23. 2015 Problems with case insensitive search No ability to search

    on metadata fields Move to Elastic Search
  24. 2017 Objects with many fields affected ES Overly permissive query

    syntax Moved to Postgres Support for customer partitions Remove ability to perform some queries Search v3
  25. Tap Compare https://saucelabs.com/blog/the-why-and-how-of-tap-compare-testing

  26. WHERE TO HOST?

  27. 2014: PROVIDE OPTIONS ON-PREM AWS SINGLE TENANT AZURE SINGLE TENANT

    AWS + AZURE MULTI-TENANT MULTI-REGION
  28. 2017 High cost to maintain another cloud provider Low probability

    of risk Decision: No longer Azure on multi tenant environment
  29. 2017: PUBLIC CLOUD AWS ONLY ON-PREM AWS SINGLE TENANT (Auth0

    or Customer) AZURE SINGLE TENANT (Customer Only) AWS MULTI-TENANT MULTI-REGION
  30. On-Prem Hard to sync on updates Different hardware • Stateful

    scaling • Stateless scaling Different levels of access/permissions
  31. 2019: AWS ONLY AWS SINGLE TENANT (Customer Account) AWS MULTI-TENANT

    MULTI-REGION AWS SINGLE TENANT (Auth0 Account)
  32. LOCATION

  33. MULTIPLE ENVIRONMENTS • Data Sovereignty • Scale • Latency •

    Failure domains • Price
  34. Environments

  35. EXTENSIBILITY

  36. WHY? • Useful for product discovery • Does not require

    changing core product • Empowers developers to do integration/customization
  37. WHAT? • Custom email providers • New OAuth compliant identity

    providers • Able to treat any database as an identity provider • Custom actions on every event: login/signup/etc.
  38. HOW? • Custom serverless platform • Low latency • No

    cold startup • Sandbox/Isolation • Limited permission set
  39. and Finally...

  40. Build Learn Measure The Feedback Loop Baseline Hypothesis Analyze

  41. Thanks! Questions? @dschenkelman