Authentication at the Edge

presents
Authentication at
the Edge
Andrew Betts | Developer Advocate

View Slide

Who is this guy
• Developer advocate and
product manager at Fastly
• Previously Financial Times and
Nikkei (Japan)
• Elected to the W3C Technical
Architecture Group
• Started out as an intern
developer in the UK air traffic
control service (NATS)

View Slide

Identity

View Slide

Magic, circa 2001
http://intranet/my/example/app
echo $_SERVER['PHP_AUTH_USER'];
?>

View Slide

Middleware, circa 2010
app.get('/', doAuth, (req, res) => {
res.end(req.user.name);
});

View Slide

New magic, circa 2018
app.get('/', (req, res) => {
res.end(req.get('User-Name'));
});

View Slide

Middleware at the edge?
Validate Normalise Authenticate
Optimise
CORS Compress
Route

View Slide

Authentication
vs Authorisation

View Slide

Authentication Authorisation

View Slide

Authentication:
Who am I?

View Slide

• IP address
• HTTP auth
• Username/password
• Single use tokens
• Single-sign on / OAuth / “Login with Google”
• Code generators (TOTP / 2FA)
Authentication methods

View Slide

Welcome to the Finnair lounge. Please enjoy
complimentary access to the New York Times.

View Slide

IP based authentication
User Fastly Origin
200 OK
Set-Cookie: ip_special=
name=Helsinki%20Air...
GET /home/us
User in recognised location
accesses a page. The user’s IP
is readable as client.ip.
User receives premium content
and cookie enables additional
client-side progressive
enhancement
Consult Edge Dictionary,
Set upstream header
GET /home/us
Fastly-ID: premium-ip
200 OK
Vary: Fastly-ID
table ip_special {
"23.65.123.7": "name=Hels..",
...
}
Store two variants in the cache,
Set additional edge metadata
using a short-lived cookie.
fiddle.fastlydemo.net/fiddle/
ce76d16c

View Slide

a7162845
HTTP authentication

View Slide

View Slide

State?

View Slide

Maintaining state with edge-managed cookies
Identity persists as cookies:
Cookie: auth=fgt983tgc9vtSFi
w4H9asdfF
Identity persists as headers:
Fastly-ID: 12565
Fastly-User-Name: Andrew
Vary: Fastly-ID
Fastly-ID: 12565

View Slide

Header name
Fastly-ID
Fastly-User-Name
Fastly-User-Groups
Fastly-User-Level
Fastly-User-Is-Premium
Example value
1406535
Andrew
eu gdpr premium uk1
4
1
Cardinality (OOM)
1,000,000
100,000
1000
10
1

View Slide

Maintaining state with edge-managed cookies
c249a659
User Fastly Auth service Content service
GET /auth
200 OK
POST /auth/login
200 OK
Auth-Result: VALID
Auth-Data: {id:372635,level:
"Subscriber",name:"Alice"}
307 Temporary redirect
Location: /home
Set-Cookie: auth=#########
GET /home
Cookie: auth=#########
200 OK
Vary: Auth-Level
200 OK
GET /home
Auth-ID: 372635
Auth-Level: Subscriber
Auth-Name: Alice
Get the login form
Submit the login form,
get a session cookie &
redirect to homepage
Load homepage, get
Subscriber-only version

View Slide

View Slide

Time limited URL tokens
a04d81ca
User Fastly Static assets
200 OK
GET /vid.mp4?token=9734536_j
f948fhw0th04htnfpbsnwp9te
User in recognised location
accesses a page. The user’s IP
is readable as client.ip.
User receives premium content
and cookie enables additional
client-side progressive
enhancement
- Check signature matches URL
- Check IP / User-Agent / Referrer
- Check timestamp is still valid
- Strip token from URL
GET /vid.mp4
200 OK

View Slide

View Slide

Single sign on
e405f025
User Fastly Auth provider
Content service
GET /login
200 OK
307 Temporary redirect
Set-Cookie:
auth=jsfu38vsjneruigereer...
Location: /article/kittens
User wants to log in
Send token to Fastly, get
session cookie and redirect to
the article page
GET https://account.google.com/sso?...
GET /session?code=d8g...
Negotiate with the third party,
get a token
GET /article/kittens GET /article/kittens
Use Auth provider’s
published certificates
to verify the ID token

View Slide

Authorization:
What can I do?

View Slide

• Identified
• Level (basic, premium)
• Group membership
• Credit balance
• Environmental/external (territorial rights, time)
Authorization criteria

View Slide

Intersecting groups

View Slide

Intersecting groups
User Fastly Origin
200 OK
GET /article/kittens
Cookie: auth=iuf34t89qw9a8hvaa...
Logged-in user attempts to view
content. Using cookie, we can
determine their groups.
Because content requires a
group membership that the
user has, the access is allowed
200 OK
Require-Groups: std-premium 7club
uk eu gdpr std-premium
std-premium 7club

View Slide

Metered paywall

View Slide

Metered paywall
User Fastly Paywall service
Content service
Cookie: auth=########
200 OK
Paywall: https://.../check
?id=93535&mode=meter&level=1
200 OK
Set-Cookie:
p={remain:5, total:10}; max-age=10
Decode user cookie,
add userid to request, restart.
GET /check?id=93535&mode=meter&level=1
Auth-User: 12345
200 OK
Paywall-Result: ALLOW
Paywall-Meta: {remain:5, total:10}
Request a
protected article
Restart to recover the requested
article from cache
Article delivered with a
cookie containing paywall
data for use in UI

View Slide

Territorial rights
• IP Geolocation
• Group intersection
(region-locked accounts)

View Slide

Modern web technologies
Fast, instant payments using
Payment Request API
Seamless biometrics and keys
WebAuthN API

View Slide

• Identity and authorization can be the most complex parts of your app
• Many different ways to do this
• Browser technologies are changing established patterns
• Using edge logic improves performance and security, simplifies
architecture
• Try using Fastly for your identity and access use case!
Summary

View Slide

Thanks for listening
I am Get the slides:
Andrew Betts
@triblondon
[email protected]
fastly.us/auth-talk

View Slide

Authentication at the Edge

Authentication at the Edge

Andrew Betts

More Decks by Andrew Betts

Other Decks in Technology

Featured

Transcript