Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authentication at the Edge

Fd1af6cc88403788ae1e5710871bbf62?s=47 Andrew Betts
September 13, 2018

Authentication at the Edge


Andrew Betts

September 13, 2018


  1. presents Authentication at the Edge Andrew Betts | Developer Advocate

  2. Who is this guy • Developer advocate and product manager

    at Fastly • Previously Financial Times and Nikkei (Japan) • Elected to the W3C Technical Architecture Group • Started out as an intern developer in the UK air traffic control service (NATS)
  3. Identity

  4. Magic, circa 2001 http://intranet/my/example/app <?php echo $_SERVER['PHP_AUTH_USER']; ?>

  5. Middleware, circa 2010 app.get('/', doAuth, (req, res) => { res.end(req.user.name);

  6. New magic, circa 2018 app.get('/', (req, res) => { res.end(req.get('User-Name'));

  7. Middleware at the edge? Validate Normalise Authenticate Optimise CORS Compress

  8. Authentication vs Authorisation

  9. Authentication Authorisation

  10. Authentication: Who am I?

  11. • IP address • HTTP auth • Username/password • Single

    use tokens • Single-sign on / OAuth / “Login with Google” • Code generators (TOTP / 2FA) Authentication methods
  12. Welcome to the Finnair lounge. Please enjoy complimentary access to

    the New York Times.
  13. IP based authentication User Fastly Origin 200 OK Set-Cookie: ip_special=

    name=Helsinki%20Air... GET /home/us User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement Consult Edge Dictionary, Set upstream header GET /home/us Fastly-ID: premium-ip 200 OK Vary: Fastly-ID table ip_special { "": "name=Hels..", ... } Store two variants in the cache, Set additional edge metadata using a short-lived cookie. fiddle.fastlydemo.net/fiddle/ ce76d16c
  14. fiddle.fastlydemo.net/fiddle/ a7162845 HTTP authentication

  15. None
  16. State?

  17. Maintaining state with edge-managed cookies Identity persists as cookies: Cookie:

    auth=fgt983tgc9vtSFi w4H9asdfF Identity persists as headers: Fastly-ID: 12565 Fastly-User-Name: Andrew Vary: Fastly-ID Fastly-ID: 12565
  18. Header name Fastly-ID Fastly-User-Name Fastly-User-Groups Fastly-User-Level Fastly-User-Is-Premium Example value 1406535

    Andrew eu gdpr premium uk1 4 1 Cardinality (OOM) 1,000,000 100,000 1000 10 1
  19. Maintaining state with edge-managed cookies fiddle.fastlydemo.net/fiddle/ c249a659 User Fastly Auth

    service Content service GET /auth 200 OK POST /auth/login 200 OK Auth-Result: VALID Auth-Data: {id:372635,level: "Subscriber",name:"Alice"} 307 Temporary redirect Location: /home Set-Cookie: auth=######### GET /home Cookie: auth=######### 200 OK Vary: Auth-Level 200 OK GET /home Auth-ID: 372635 Auth-Level: Subscriber Auth-Name: Alice Get the login form Submit the login form, get a session cookie & redirect to homepage Load homepage, get Subscriber-only version
  20. None
  21. Time limited URL tokens fiddle.fastlydemo.net/fiddle/ a04d81ca User Fastly Static assets

    200 OK GET /vid.mp4?token=9734536_j f948fhw0th04htnfpbsnwp9te User in recognised location accesses a page. The user’s IP is readable as client.ip. User receives premium content and cookie enables additional client-side progressive enhancement - Check signature matches URL - Check IP / User-Agent / Referrer - Check timestamp is still valid - Strip token from URL GET /vid.mp4 200 OK
  22. None
  23. Single sign on fiddle.fastlydemo.net/fiddle/ e405f025 User Fastly Auth provider Content

    service GET /login 200 OK 307 Temporary redirect Set-Cookie: auth=jsfu38vsjneruigereer... Location: /article/kittens User wants to log in Send token to Fastly, get session cookie and redirect to the article page GET https://account.google.com/sso?... GET /session?code=d8g... Negotiate with the third party, get a token GET /article/kittens GET /article/kittens Use Auth provider’s published certificates to verify the ID token
  24. Authorization: What can I do?

  25. • Identified • Level (basic, premium) • Group membership •

    Credit balance • Environmental/external (territorial rights, time) Authorization criteria
  26. Intersecting groups

  27. Intersecting groups User Fastly Origin 200 OK GET /article/kittens Cookie:

    auth=iuf34t89qw9a8hvaa... Logged-in user attempts to view content. Using cookie, we can determine their groups. Because content requires a group membership that the user has, the access is allowed GET /article/kittens 200 OK Require-Groups: std-premium 7club uk eu gdpr std-premium std-premium 7club
  28. Metered paywall

  29. Metered paywall User Fastly Paywall service Content service GET /article/kittens

    Cookie: auth=######## 200 OK Paywall: https://.../check ?id=93535&mode=meter&level=1 200 OK Set-Cookie: p={remain:5, total:10}; max-age=10 Decode user cookie, add userid to request, restart. GET /check?id=93535&mode=meter&level=1 Auth-User: 12345 200 OK Paywall-Result: ALLOW Paywall-Meta: {remain:5, total:10} GET /article/kittens GET /article/kittens Request a protected article Restart to recover the requested article from cache Article delivered with a cookie containing paywall data for use in UI
  30. Territorial rights • IP Geolocation • Group intersection (region-locked accounts)

  31. Modern web technologies Fast, instant payments using Payment Request API

    Seamless biometrics and keys WebAuthN API
  32. • Identity and authorization can be the most complex parts

    of your app • Many different ways to do this • Browser technologies are changing established patterns • Using edge logic improves performance and security, simplifies architecture • Try using Fastly for your identity and access use case! Summary
  33. Thanks for listening I am Get the slides: Andrew Betts

    @triblondon abetts@fastly.com fastly.us/auth-talk