SSO & SOA

SOA
SSO
& @MattKetmo
PHPTour
Lyon 2014

View Slide

Service
Oriented
Architecture
“Developing a single application as a suite of small
services, each running in its own process and
communicating with lightweight mechanisms”
#EventDriven #DistributedSystem

View Slide

View Slide

/me
Matthieu Moquet
@MattKetmo
Developer at
…for almost 3 years

View Slide

Back to 2011…

View Slide

Covoiturage.fr
1 monolithic PHP app
o Core website
o Web mobile
o B2B platform
o Backoﬀice tools
o Web views (mobile apps)
o External widgets

View Slide

Plain Old PHP
No Dependency Injection
No functional tests
High coupling
…hard to maintain

View Slide

View Slide

# wc -l lib.trip.php
3678
…longest method: 1000+ lines

View Slide

View Slide

get rid of the
TECHNICAL DEBT

View Slide

started from scratch
since 2012

View Slide

2.0

View Slide

Let’s embrace
best practices

View Slide

1 bundle
BlablacarAppBundle
BlablacarBlogBundle
BlablacarFaqBundle
BlablacarTripBundle
BlablacarUserBundle
...
N bundles
OR

View Slide

Services & Controllers
§  Should controllers access the repository?
§  How should I split my services?
§  Is ContainerAware that bad?
§  How to organize my Business Layer?

View Slide

Where should I put my
Model & Doctrine entities?

View Slide

Forms
Should I map my entities with my forms?

View Slide

Validation
§  Should I map validation with entities?
§  Should I use groups?

View Slide

Translations
§  Catalogue message?
§  Should I use key identifiers or phrases?
§  How to name the keys?

View Slide

Route naming
homepage
blablacar_homepage
blablacar_main_homepage

View Slide

Events
§  Listen on Doctrine events?
§  Create your own? ACTION / PRE_ACTION / POST_ACTION ?
§  Subscribers VS. Listeners

View Slide

Design
When you don’t have full-time designer,
then Bootstrap(2) FTW

View Slide

With a few developers…
At the beginning, you need to start quickly,
(but you take time to write conventions).
Legacy App New App

View Slide

Then you hire new people

View Slide

How many developers to be
more eﬀicient?

View Slide

More code means…

View Slide

Heavy Container

View Slide

$ app/console cache:warmup
Warming up the cache for the dev env with debug true

View Slide

View Slide

$ app/console assetic:dump
Dumping all dev assets.
Debug mode is on.
23:00:32 [file+] /path/to/web/css/0e781b6.css
23:00:35 [file+] /path/to/web/css/0e781b6_part_1_bootstrap_1.css
23:00:35 [file+] /path/to/web/css/0e781b6_part_2_buttons_1.css
23:00:35 [file+] /path/to/web/css/0e781b6_part_2_card_2.css
23:00:35 [file+] /path/to/web/css/0e781b6_part_2_form_3.css
23:00:35 [file+] /path/to/web/css/0e781b6_part_2_grid_4.css
23:00:36 [file+] /path/to/web/css/0e781b6_part_2_list_5.css
23:00:36 [file+] /path/to/web/css/0e781b6_part_2_navbar_6.css
23:00:36 [file+] /path/to/web/css/0e781b6_part_2_panel_7.css
23:00:37 [file+] /path/to/web/css/0e781b6_part_2_vcard_9.css
23:00:37 [file+] /path/to/web/js/e66598b.js
23:00:37 [file+] /path/to/web/js/e66598b_jquery_1.js
23:00:37 [file+] /path/to/web/js/e66598b_bootstrap_2.js
23:00:37 [file+] /path/to/web/js/e66598b_script_3.js

View Slide

View Slide

$ phpunit -c app
........................... .............. (63/975)
.......................... ............... (126/975)
.............. ........................... (189/975)
.......F................ ................. (252/975)
.............F....

View Slide

Changed few lines of code?
Run the full test suite!

View Slide

View Slide

Optimize test execution time
Invest in parallelization processes
Split TestSuite in VMs (on AWS)
Run 1h tests in 10min

View Slide

One big projet makes your team
less reactive
How often do you deploy your main project?

View Slide

https://code.facebook.com/posts/218678814984400/scaling-mercurial-at-facebook/

View Slide

Changing foundations is
expensive
What if we want to change…

View Slide

What if we want to change
The backend framework?
We don’t plan to change it, and we couldn’t

View Slide

The testing framework?
We won’t rewrite the whole test suite.
But we can use several frameworks at the same time (eg. Behat)

View Slide

The frontend framework?
Well, we are stuck with Bootstrap2.
Updating to Bootstrap3 or rewriting our own will take time.

View Slide

The assets builder?
Assetic took too long to compile all assets.
We moved to asset management with Grunt.

View Slide

The data layer?
Actually frontend servers make MySQL queries.
But in the long term, it’s not a good practice (see coming slides).

View Slide

We’ll ALWAYS have technical debt.
We must LIMIT it as much as possible.

View Slide

Think as small as possible
µServices
The secret to building large apps is never
build large apps.
Break your application into small pieces.
Then, assemble those testable, bite-sized
pieces into your big application
— Justin Meyer

View Slide

3 patterns
to build a better software
architecture…

View Slide

Request-Response

View Slide

Request-Response
GET your resources
synchronously
Data Layer

View Slide

Request-Response
$user = $this
->get('my.repository.user')
->find(1337);

View Slide

Request-Response
$mysql->query('...')

View Slide

Request-Response
Id Firstname Lastname Pseudo Email Birthday
1337 Ma'hieu Moquet Ma'Ketmo ma'[email protected] 1988-‐12-‐17

View Slide

Request-Response
However front-end servers should NOT access
the database directly
It should fetch normalized data from an
internal service
API for the win!

View Slide

Request-Response
GET /users/123
Do you speak REST ?
Better versioning & normalization

View Slide

Request-Response
…or you may speak:
§ SOAP
§ XML-RPC
§ Protobuﬀer
§ Thrift
§ etc.

View Slide

Request-Response
Even RabbitMQ can be used for
synchronous requests
scrutinizer-ci/rabbitmq
src/Scrutinizer/RabbitMQ/Rpc
http://www.rabbitmq.com/tutorials/tutorial-six-python.html

View Slide

Request-Response

View Slide

Command(Handler)

View Slide

Command
$cmd = FooCommand('bar');
$handler = FooCommandHandler();
$handler->execute($cmd);
Do not expect a return value

View Slide

Command
Perfect for
asynchronous jobs
§  Send e-mails / SMS / PUSH notiﬁcations
§  Image processing
§  Data indexation
§  Saving complex data
§  etc.

View Slide

Command
publish consume
RabbitMQ
DIRECT rou

View Slide

Command
publish consume
Easy scaling

View Slide

Command
Service is accessible via a
queueing system only (not REST)
§  RabbitMQ
§  ActiveMQ
§  Beanstalkd
§  Gearman
§  …
More at http://queues.io

View Slide

Sending Newsletters
publish
100k messages
Create an army of
workers in AWS
consume
send mails
message payload = emails
address + content
App
Scheduler (Java + Quartz)
Worker
NL @10am
segment X
Get users of
segment X
(Scroll ElasticSearch)

View Slide

PubSub
Obverser / Event Dispatcher

View Slide

PubSub
$dispatcher = new EventDispatcher();!
!
// Listen using an object or a callback!
$listener = new AcmeListener();!
$dispatcher->addListener('foobar', array($listener, 'onFoobar'));!
!
$dispatcher->addListener('foobar', function (Event $event) {!
// do something else with the events!
});!
!
// Dispatch event!
$dispatcher->dispatch('foobar', $event);!
Example with the Symfony EventDispatcher

View Slide

PubSub
Notify your infrastructure of
every business events
Publish events without knowing who is listening
Create services without any core changes

View Slide

PubSub
pub
RabbitMQ
TOPIC rousub
user.register
user.edit_bio
user.register
user.edit_bio
user.edit_bio

View Slide

PubSub
Use Case
BI

View Slide

user.register
user.edit_bio
user.left_rating
user.post_trip
...
Data Warehouse
Log every business events in Hadoop

View Slide

user.register
user.edit_bio
user.left_rating
user.post_trip
...
user.register
user.post_trip
...
Meanwhile…
RealTime Dashboard
Log every business events in ElasticSearch

View Slide

View Slide

ReqRes — Command — PubSub
Message
Broker
RabbitMQ removes hard link between services

View Slide

Now we have the keys to start a distributed architecture
let’s start decoupling our application…
Front-end desktop + mobile
Hard to split in several projects (need to delegate jobs)
API
For mobile apps & partners
Backoﬀice
Set of administration tools
Workers
Already decoupled from the core app

View Slide

Backoﬀice
A set of independent tools
Easy to split

View Slide

Backoﬀice — CRUD
Some tools are just data manipulation:
– User Management
– Blog
– FAQ
GET /users
PUT /users/123
Data Layer

View Slide

Backoﬀice — Moderation
Manage user « data » which need to be moderated
user.upload_avatar
user.edit_bio
user.left_rating
UI to check
data manually
Auto detect
spam & non
compliant data
Machine Learning data.received
data.treated
send mails

View Slide

Backoﬀice — URL Shortener
Some tools are completely independent
https://www.blablacar.com/register SHORTEN
No data shared with core business

View Slide

Authentication
Splitting our backoﬀice in many apps
should not be a pain for the UX

View Slide

Let’s build a
Single Sign-On service

View Slide

Single
Sign
On
“SSO is a method allowing a user to access
multiple applications, making only a single
authentication.”

View Slide

STARTING POINT
LDAP

View Slide

Single Sign ONCE
example.org/app
app.example.org
Simple Case: Shared Host / Shared Domain

View Slide

View Slide

« OAuth is an open standard for authorization
[…] to access server resources on behalf of a
resource owner »
— Wikipedia

View Slide

OAuth2 Grant Types
Authorization Code
Connect-like workflow
Implicit Grant (Direct Token)
Usefull for JS app
Password flow
Trusted app (client credentials)
Client Credentials
Basic (use of client id + secret)

View Slide

OAuth2

View Slide

Do It Yourself
with

View Slide

From LDAP to OAuth
Given I am on the login page
Then I should login with my LDAP credentials
App
LDAP
Login

View Slide

There is a bundle for that

View Slide

FR3DLdapBundle

View Slide

FR3DLdapBundle/config.yml
# LDAP Configuration!
fr3d_ldap:!
driver:!
host: "%ldap_host%"!
username: "%ldap_username%"!
password: "%ldap_password%"!
baseDn: "%ldap_username%"!
user:!
baseDn: "%ldap_user_dn%"!
filter: "%ldap_user_filter%"!
attributes:!
- { ldap_attr: "uid", user_method: "setUsername" }!
- { ldap_attr: "cn", user_method: "setName" }!
- { ldap_attr: "mail", user_method: "setEmail" }!
service:!
user_manager: "acme.user_manager"!

View Slide

From LDAP to OAuth
Given I am on "/me" with "user" access token
Then I should get "user" resources in JSON
App
LDAP OAuth2
API

View Slide

There is a bundle for that

View Slide

FOSOAuthServerBundle

View Slide

FOSOAuthServerBundle/
security.yml
firewalls:!
api:!
pattern: ^/api!
fos_oauth: true!
stateless: true

View Slide

From LDAP to OAuth
App
LDAP OAuth2
API
Login

View Slide

Enforce security
PO said,
this SSO entry-point should be a
top-notch secure app

View Slide

There ARE bundles for THAT

View Slide

SchebTwoFactorBundle
SpomkyIpFilterBundle
CCDNUserSecurityBundle
NelmioSecurityBundle
…

View Slide

App
LDAP OAuth2
2FA
FW

View Slide

What about the client?

View Slide

Of course,
there is a bundle for that

View Slide

HWIOAuthBundle

View Slide

View Slide

# HWI OAuth Configuration!
hwi_oauth:!
firewall_name: "main"!
resource_owners:!
acme_sso:!
type: "oauth2"!
client_id: "%client_id%"!
client_secret: "%client_secret%"!
access_token_url: "%base_url%/oauth/v2/token"!
authorization_url: "%base_url%/oauth/v2/auth"!
infos_url: "%base_url%/api/me”!
paths:!
identifier: "id"!
nickname: "username"!
realname: "name"!
email: "email"!

View Slide

UX — We don’t really need this login form

View Slide

UX — We don’t really need a one-button page

View Slide

302 Found
UX — Get transparent login process

View Slide

OAuth is all about
authorization,
not authentication
Watch out for weaknesses & attacks

View Slide

GET /api/me
{
"id": 1337,
"firstname": "Matthieu",
"lastname": "Moquet",
"nickname": "MattKetmo"
}
(the cheat)

View Slide

CSRF
http://example.org?redirect_uri=xxxx&state=yyyy
session[state] === params[state].
http://tools.ietf.org/html/draft-ietf-oauth-v2-27#section-10.12

View Slide

Cover Redirect
(is a joke)
http://homakov.blogspot.fr/2014/05/covert-redirect-faq.html

View Slide

id_token
Multiple Response Type Encoding Practices.
Provides an assertion of the identity of the
Resource Owner.
http://openid.bitbucket.org/oauth-v2-multiple-response-types-1_0.html

View Slide

However if OAuth2 is not designed to be
an SSO protocol, what should I use?

View Slide

OAuth1.a

View Slide

It seems Symfony have a
bundle for everything…

View Slide

BazingaOAuthServerBundle

View Slide

View Slide

SAML
(Security Assertion Markup Language)
SAML is an XML-based protocol that uses
security tokens containing assertions to pass
information about a principal between an
identity provider, and a consumer.
There are bundles/lib for that (but not maintained, see impl.)
§  pdias/FOSSamlBundle
§  aerialship/SamlSPBundle
§  chtitux/sfSAMLPlugin (symfony1)

View Slide

CAS
(Central Authentication Service)
Example of client implementation
BeSimple/BeSimpleSsoAuthBundle

View Slide

h"ps://github.com/BeSimple/BeSimpleSsoAuthBundle/blob/master/Resources/doc/protocols.md

View Slide

JWT
(JSON Web Token)
Payload signed server-side with a
JSON Web Signature (JWS).
auth.
signed token
request

View Slide

JWT
(JSON Web Token)
Sign payload using a secret key
auth.
signed token
request

View Slide

firebase/php-jwt
curl –H "Authorization: Bearer eyJ0eXAiOiJKV..." example.org
$key = "s3cr3t_key";
$token = array(
"sub" => "mattketmo",
"aud" => "http://example.com",
"exp" => 1356999524,
);
$jwt = JWT::encode($token, $key); // eyJ0eXAiOiJKV...

View Slide

namshi/jose
OpenSSL + cookies
// Auth (SSO)
$privateKey = openssl_pkey_get_private("file://private.key");
$jws = new JWS('RS256');
$jws->setPayload([$userId]);
$jws->sign($privateKey)
setcookie('identity', $jws->getTokenString());
// Client App
$jws = JWS::load($_COOKIE['identity']);
$publicKey = openssl_pkey_get_public("/public.key");
if ($jws->isValid($publicKey)) {
$payload = $jws->getPayload();
$userId = $payload['id'];
}

View Slide

OAuth2 + JWT
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08

View Slide

OpenID Connect
Feb. 2014 — openid.net/connect/

View Slide

View Slide

Core app is now lightweight
o Tiny container (less services/listeners)
o Test suite is smaller
o Forget about technical debt

View Slide

Choose the right tools
for the task
Backend / Frontend / Datastore / …

View Slide

Make experiments

View Slide

Work faster
No more bottleneck & dependencies
with other dev teams

View Slide

BE EFFICIENT
AVOID REPETITIVE PROCESSES

View Slide

Install dev environment
in less than 1h

View Slide

Bootstrap everything
composer create-project blablacar/backoffice-app
git clone [email protected]/worker-skeleton.git
via git
or via composer

View Slide

Enforce reusable components
{
"require": {
"blablacar/monolog": "~1.0",
"blablacar/scheduler-client": "~1.1",
"blablacar/redis-client": "~1.2",
"blablacar/rabbit-mq-admin-toolkit": "dev-master"
}
}

View Slide

Be ready for production
Don’t loose time in configuration setup
Parameters
for $ENV
Config template
for $PROJECT
Config file for
$PROJECT/$ENV
Centralized build tool to generate a project configuration
file for any environment (local / dev / staging / prod)

View Slide

Never miss a log

View Slide

Don’t be lost in translations
Open-sourced a tool to manage your project
translations easily
More information tomorrow, 9:45

View Slide

Thank you
Slides available at
moquet.net/talks/phptour-2014-sso-soa
Leave feedbacks @MattKetmo

View Slide

SSO & SOA

SSO & SOA

Matthieu Moquet

More Decks by Matthieu Moquet

Other Decks in Programming

Featured

Transcript