presents Authentication at the Edge Andrew Betts | Developer Advocate

Who is this guy • Developer advocate and product manager at Fastly • Previously Financial Times and Nikkei (Japan) • Elected to the W3C Technical Architecture Group • Started out as an intern developer in the UK air traffic control service (NATS)

Identity

Magic, circa 2001 http://intranet/my/example/app

Middleware, circa 2010 app.get('/', doAuth, (req, res) => { res.end(req.user.name); });

New magic, circa 2018 app.get('/', (req, res) => { res.end(req.get('User-Name')); });

Middleware at the edge? Validate Normalise Authenticate Optimise CORS Compress Route

Authentication vs Authorisation

Authentication Authorisation

Authentication: Who am I?

• IP address • HTTP auth • Username/password • Single use tokens • Single-sign on / OAuth / “Login with Google” • Code generators (TOTP / 2FA) Authentication methods

Welcome to the Finnair lounge. Please enjoy complimentary access to the New York Times.

IP based authentication User Fastly Origin 200 OK Set-Cookie: ip_special= name=Helsinki%20Air... GET /home/us User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement Consult Edge Dictionary, Set upstream header GET /home/us Fastly-ID: premium-ip 200 OK Vary: Fastly-ID table ip_special { "23.65.123.7": "name=Hels..", ... } Store two variants in the cache, Set additional edge metadata using a short-lived cookie. fiddle.fastlydemo.net/fiddle/ ce76d16c

fiddle.fastlydemo.net/fiddle/ a7162845 HTTP authentication

No content

State?

Maintaining state with edge-managed cookies Identity persists as cookies: Cookie: auth=fgt983tgc9vtSFi w4H9asdfF Identity persists as headers: Fastly-ID: 12565 Fastly-User-Name: Andrew Vary: Fastly-ID Fastly-ID: 12565

Header name Fastly-ID Fastly-User-Name Fastly-User-Groups Fastly-User-Level Fastly-User-Is-Premium Example value 1406535 Andrew eu gdpr premium uk1 4 1 Cardinality (OOM) 1,000,000 100,000 1000 10 1

Maintaining state with edge-managed cookies fiddle.fastlydemo.net/fiddle/ c249a659 User Fastly Auth service Content service GET /auth 200 OK POST /auth/login 200 OK Auth-Result: VALID Auth-Data: {id:372635,level: "Subscriber",name:"Alice"} 307 Temporary redirect Location: /home Set-Cookie: auth=######### GET /home Cookie: auth=######### 200 OK Vary: Auth-Level 200 OK GET /home Auth-ID: 372635 Auth-Level: Subscriber Auth-Name: Alice Get the login form Submit the login form, get a session cookie & redirect to homepage Load homepage, get Subscriber-only version

No content

Time limited URL tokens fiddle.fastlydemo.net/fiddle/ a04d81ca User Fastly Static assets 200 OK GET /vid.mp4?token=9734536_j f948fhw0th04htnfpbsnwp9te User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement - Check signature matches URL - Check IP / User-Agent / Referrer - Check timestamp is still valid - Strip token from URL GET /vid.mp4 200 OK

No content

Single sign on fiddle.fastlydemo.net/fiddle/ e405f025 User Fastly Auth provider Content service GET /login 200 OK 307 Temporary redirect Set-Cookie: auth=jsfu38vsjneruigereer... Location: /article/kittens User wants to log in Send token to Fastly, get session cookie and redirect to the article page GET https://account.google.com/sso?... GET /session?code=d8g... Negotiate with the third party, get a token GET /article/kittens GET /article/kittens Use Auth provider’s published certificates to verify the ID token

Authorization: What can I do?

• Identified • Level (basic, premium) • Group membership • Credit balance • Environmental/external (territorial rights, time) Authorization criteria

Intersecting groups

Intersecting groups User Fastly Origin 200 OK GET /article/kittens Cookie: auth=iuf34t89qw9a8hvaa... Logged-in user attempts to view content. Using cookie, we can determine their groups. Because content requires a group membership that the user has, the access is allowed GET /article/kittens 200 OK Require-Groups: std-premium 7club uk eu gdpr std-premium std-premium 7club

Metered paywall

Metered paywall User Fastly Paywall service Content service GET /article/kittens Cookie: auth=######## 200 OK Paywall: https://.../check ?id=93535&mode=meter&level=1 200 OK Set-Cookie: p={remain:5, total:10}; max-age=10 Decode user cookie, add userid to request, restart. GET /check?id=93535&mode=meter&level=1 Auth-User: 12345 200 OK Paywall-Result: ALLOW Paywall-Meta: {remain:5, total:10} GET /article/kittens GET /article/kittens Request a protected article Restart to recover the requested article from cache Article delivered with a cookie containing paywall data for use in UI

Territorial rights • IP Geolocation • Group intersection (region-locked accounts)

Modern web technologies Fast, instant payments using Payment Request API Seamless biometrics and keys WebAuthN API

• Identity and authorization can be the most complex parts of your app • Many different ways to do this • Browser technologies are changing established patterns • Using edge logic improves performance and security, simplifies architecture • Try using Fastly for your identity and access use case! Summary

Thanks for listening I am Get the slides: Andrew Betts @triblondon [email protected] fastly.us/auth-talk