at Fastly • Previously Financial Times and Nikkei (Japan) • Elected to the W3C Technical Architecture Group • Started out as an intern developer in the UK air traffic control service (NATS)
name=Helsinki%20Air... GET /home/us User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement Consult Edge Dictionary, Set upstream header GET /home/us Fastly-ID: premium-ip 200 OK Vary: Fastly-ID table ip_special { "23.65.123.7": "name=Hels..", ... } Store two variants in the cache, Set additional edge metadata using a short-lived cookie. fiddle.fastlydemo.net/fiddle/ ce76d16c
service Content service GET /auth 200 OK POST /auth/login 200 OK Auth-Result: VALID Auth-Data: {id:372635,level: "Subscriber",name:"Alice"} 307 Temporary redirect Location: /home Set-Cookie: auth=######### GET /home Cookie: auth=######### 200 OK Vary: Auth-Level 200 OK GET /home Auth-ID: 372635 Auth-Level: Subscriber Auth-Name: Alice Get the login form Submit the login form, get a session cookie & redirect to homepage Load homepage, get Subscriber-only version
200 OK GET /vid.mp4?token=9734536_j f948fhw0th04htnfpbsnwp9te User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement - Check signature matches URL - Check IP / User-Agent / Referrer - Check timestamp is still valid - Strip token from URL GET /vid.mp4 200 OK
service GET /login 200 OK 307 Temporary redirect Set-Cookie: auth=jsfu38vsjneruigereer... Location: /article/kittens User wants to log in Send token to Fastly, get session cookie and redirect to the article page GET https://account.google.com/sso?... GET /session?code=d8g... Negotiate with the third party, get a token GET /article/kittens GET /article/kittens Use Auth provider’s published certificates to verify the ID token
auth=iuf34t89qw9a8hvaa... Logged-in user attempts to view content. Using cookie, we can determine their groups. Because content requires a group membership that the user has, the access is allowed GET /article/kittens 200 OK Require-Groups: std-premium 7club uk eu gdpr std-premium std-premium 7club
Cookie: auth=######## 200 OK Paywall: https://.../check ?id=93535&mode=meter&level=1 200 OK Set-Cookie: p={remain:5, total:10}; max-age=10 Decode user cookie, add userid to request, restart. GET /check?id=93535&mode=meter&level=1 Auth-User: 12345 200 OK Paywall-Result: ALLOW Paywall-Meta: {remain:5, total:10} GET /article/kittens GET /article/kittens Request a protected article Restart to recover the requested article from cache Article delivered with a cookie containing paywall data for use in UI
of your app • Many different ways to do this • Browser technologies are changing established patterns • Using edge logic improves performance and security, simplifies architecture • Try using Fastly for your identity and access use case! Summary