IDaaS at Scale - Nardoz BA

Slide 1

Slide 1 text

IDaaS at Scale From 0 to 2.5B+ logins/month @dschenkelman

Slide 2

Slide 2 text

Let's create an IDaaS. Yeah. How hard can it be?

Slide 3

Slide 3 text

Era muy dificil It'd be very hard... Narrator

Slide 4

Slide 4 text

Agenda ● Surface ● Scale & Reliability ● Hosting ● Extensibility ● Wrap-up ● Questions

Slide 5

Slide 5 text

Compliance Trust Scale Reliability Security

Slide 6

Slide 6 text

Compliance Features Trust Protocols User Management Search Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing

Slide 7

Slide 7 text

Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience

Slide 8

Slide 8 text

Slide 9

Slide 9 text

SCALE & RELIABILITY

Slide 10

Slide 10 text

® From 2014 to Now

Slide 11

Slide 11 text

® • Automated deployments • Rollout, blue/green • Feature flags • Rate limits • Autoscaling General Techniques

Slide 12

Slide 12 text

Architecture

Slide 13

Slide 13 text

SCALING IAM

Slide 14

Slide 14 text

PASSWORD HASHING

Slide 15

Slide 15 text

® PASSWORD HASHING • Hash: one way, no ability to revert • Resource intensive • bcrypt: configure number of rounds • 2^10: ~80ms -> 12.5/sec per CPU • 2^12: ~320ms -> 3.125/sec per CPU

Slide 16

Slide 16 text

Expected Response Times

Slide 17

Slide 17 text

Actual Response Times

Slide 18

Slide 18 text

Flamegraphs

Slide 19

Slide 19 text

PASSWORD HASHING SERVICE AUTH NODE LB BaaS BaaS BaaS BaaS

Slide 20

Slide 20 text

User Search

Slide 21

Slide 21 text

email.domain:auth0.com AND logins_count:[0 TO 10}

Slide 22

Slide 22 text

2013 Mongo as a database Expose search

Slide 23

Slide 23 text

2015 Problems with case insensitive search No ability to search on metadata fields Move to Elastic Search

Slide 24

Slide 24 text

2017 Objects with many fields affected ES Overly permissive query syntax Moved to Postgres Support for customer partitions Remove ability to perform some queries Search v3

Slide 25

Slide 25 text

Tap Compare https://saucelabs.com/blog/the-why-and-how-of-tap-compare-testing

Slide 26

Slide 26 text

WHERE TO HOST?

Slide 27

Slide 27 text

2014: PROVIDE OPTIONS ON-PREM AWS SINGLE TENANT AZURE SINGLE TENANT AWS + AZURE MULTI-TENANT MULTI-REGION

Slide 28

Slide 28 text

2017 High cost to maintain another cloud provider Low probability of risk Decision: No longer Azure on multi tenant environment

Slide 29

Slide 29 text

2017: PUBLIC CLOUD AWS ONLY ON-PREM AWS SINGLE TENANT (Auth0 or Customer) AZURE SINGLE TENANT (Customer Only) AWS MULTI-TENANT MULTI-REGION

Slide 30

Slide 30 text

On-Prem Hard to sync on updates Different hardware ● Stateful scaling ● Stateless scaling Different levels of access/permissions

Slide 31

Slide 31 text

2019: AWS ONLY AWS SINGLE TENANT (Customer Account) AWS MULTI-TENANT MULTI-REGION AWS SINGLE TENANT (Auth0 Account)

Slide 32

Slide 32 text

LOCATION

Slide 33

Slide 33 text

MULTIPLE ENVIRONMENTS ● Data Sovereignty ● Scale ● Latency ● Failure domains ● Price

Slide 34

Slide 34 text

Environments

Slide 35

Slide 35 text

EXTENSIBILITY

Slide 36

Slide 36 text

WHY? ● Useful for product discovery ● Does not require changing core product ● Empowers developers to do integration/customization

Slide 37

Slide 37 text

WHAT? ● Custom email providers ● New OAuth compliant identity providers ● Able to treat any database as an identity provider ● Custom actions on every event: login/signup/etc.

Slide 38

Slide 38 text

HOW? ● Custom serverless platform ● Low latency ● No cold startup ● Sandbox/Isolation ● Limited permission set