Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authentication at the Edge

Andrew Betts
September 13, 2018

Authentication at the Edge

Andrew Betts

September 13, 2018

More Decks by Andrew Betts

Other Decks in Technology


  1. presents Authentication at the Edge Andrew Betts | Developer Advocate

  2. Who is this guy • Developer advocate and product manager

    at Fastly • Previously Financial Times and Nikkei (Japan) • Elected to the W3C Technical Architecture Group • Started out as an intern developer in the UK air traffic control service (NATS)
  3. Identity

  4. Magic, circa 2001 http://intranet/my/example/app <?php echo $_SERVER['PHP_AUTH_USER']; ?>

  5. Middleware, circa 2010 app.get('/', doAuth, (req, res) => { res.end(req.user.name);

  6. New magic, circa 2018 app.get('/', (req, res) => { res.end(req.get('User-Name'));

  7. Middleware at the edge? Validate Normalise Authenticate Optimise CORS Compress

  8. Authentication vs Authorisation

  9. Authentication Authorisation

  10. Authentication: Who am I?

  11. • IP address • HTTP auth • Username/password • Single

    use tokens • Single-sign on / OAuth / “Login with Google” • Code generators (TOTP / 2FA) Authentication methods
  12. Welcome to the Finnair lounge. Please enjoy complimentary access to

    the New York Times.
  13. IP based authentication User Fastly Origin 200 OK Set-Cookie: ip_special=

    name=Helsinki%20Air... GET /home/us User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement Consult Edge Dictionary, Set upstream header GET /home/us Fastly-ID: premium-ip 200 OK Vary: Fastly-ID table ip_special { "": "name=Hels..", ... } Store two variants in the cache, Set additional edge metadata using a short-lived cookie. fiddle.fastlydemo.net/fiddle/ ce76d16c
  14. fiddle.fastlydemo.net/fiddle/ a7162845 HTTP authentication

  15. None
  16. State?

  17. Maintaining state with edge-managed cookies Identity persists as cookies: Cookie:

    auth=fgt983tgc9vtSFi w4H9asdfF Identity persists as headers: Fastly-ID: 12565 Fastly-User-Name: Andrew Vary: Fastly-ID Fastly-ID: 12565
  18. Header name Fastly-ID Fastly-User-Name Fastly-User-Groups Fastly-User-Level Fastly-User-Is-Premium Example value 1406535

    Andrew eu gdpr premium uk1 4 1 Cardinality (OOM) 1,000,000 100,000 1000 10 1
  19. Maintaining state with edge-managed cookies fiddle.fastlydemo.net/fiddle/ c249a659 User Fastly Auth

    service Content service GET /auth 200 OK POST /auth/login 200 OK Auth-Result: VALID Auth-Data: {id:372635,level: "Subscriber",name:"Alice"} 307 Temporary redirect Location: /home Set-Cookie: auth=######### GET /home Cookie: auth=######### 200 OK Vary: Auth-Level 200 OK GET /home Auth-ID: 372635 Auth-Level: Subscriber Auth-Name: Alice Get the login form Submit the login form, get a session cookie & redirect to homepage Load homepage, get Subscriber-only version
  20. None
  21. Time limited URL tokens fiddle.fastlydemo.net/fiddle/ a04d81ca User Fastly Static assets

    200 OK GET /vid.mp4?token=9734536_j f948fhw0th04htnfpbsnwp9te User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement - Check signature matches URL - Check IP / User-Agent / Referrer - Check timestamp is still valid - Strip token from URL GET /vid.mp4 200 OK
  22. None
  23. Single sign on fiddle.fastlydemo.net/fiddle/ e405f025 User Fastly Auth provider Content

    service GET /login 200 OK 307 Temporary redirect Set-Cookie: auth=jsfu38vsjneruigereer... Location: /article/kittens User wants to log in Send token to Fastly, get session cookie and redirect to the article page GET https://account.google.com/sso?... GET /session?code=d8g... Negotiate with the third party, get a token GET /article/kittens GET /article/kittens Use Auth provider’s published certificates to verify the ID token
  24. Authorization: What can I do?

  25. • Identified • Level (basic, premium) • Group membership •

    Credit balance • Environmental/external (territorial rights, time) Authorization criteria
  26. Intersecting groups

  27. Intersecting groups User Fastly Origin 200 OK GET /article/kittens Cookie:

    auth=iuf34t89qw9a8hvaa... Logged-in user attempts to view content. Using cookie, we can determine their groups. Because content requires a group membership that the user has, the access is allowed GET /article/kittens 200 OK Require-Groups: std-premium 7club uk eu gdpr std-premium std-premium 7club
  28. Metered paywall

  29. Metered paywall User Fastly Paywall service Content service GET /article/kittens

    Cookie: auth=######## 200 OK Paywall: https://.../check ?id=93535&mode=meter&level=1 200 OK Set-Cookie: p={remain:5, total:10}; max-age=10 Decode user cookie, add userid to request, restart. GET /check?id=93535&mode=meter&level=1 Auth-User: 12345 200 OK Paywall-Result: ALLOW Paywall-Meta: {remain:5, total:10} GET /article/kittens GET /article/kittens Request a protected article Restart to recover the requested article from cache Article delivered with a cookie containing paywall data for use in UI
  30. Territorial rights • IP Geolocation • Group intersection (region-locked accounts)

  31. Modern web technologies Fast, instant payments using Payment Request API

    Seamless biometrics and keys WebAuthN API
  32. • Identity and authorization can be the most complex parts

    of your app • Many different ways to do this • Browser technologies are changing established patterns • Using edge logic improves performance and security, simplifies architecture • Try using Fastly for your identity and access use case! Summary
  33. Thanks for listening I am Get the slides: Andrew Betts

    @triblondon [email protected] fastly.us/auth-talk