Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authentication at the Edge

Andrew Betts
September 13, 2018

Authentication at the Edge

Andrew Betts

September 13, 2018
Tweet

More Decks by Andrew Betts

Other Decks in Technology

Transcript

  1. presents
    Authentication at
    the Edge
    Andrew Betts | Developer Advocate

    View Slide

  2. Who is this guy
    • Developer advocate and
    product manager at Fastly
    • Previously Financial Times and
    Nikkei (Japan)
    • Elected to the W3C Technical
    Architecture Group
    • Started out as an intern
    developer in the UK air traffic
    control service (NATS)

    View Slide

  3. Identity

    View Slide

  4. Magic, circa 2001
    http://intranet/my/example/app
    echo $_SERVER['PHP_AUTH_USER'];
    ?>

    View Slide

  5. Middleware, circa 2010
    app.get('/', doAuth, (req, res) => {
    res.end(req.user.name);
    });

    View Slide

  6. New magic, circa 2018
    app.get('/', (req, res) => {
    res.end(req.get('User-Name'));
    });

    View Slide

  7. Middleware at the edge?
    Validate Normalise Authenticate
    Optimise
    CORS Compress
    Route

    View Slide

  8. Authentication
    vs Authorisation

    View Slide

  9. Authentication Authorisation

    View Slide

  10. Authentication:
    Who am I?

    View Slide

  11. • IP address
    • HTTP auth
    • Username/password
    • Single use tokens
    • Single-sign on / OAuth / “Login with Google”
    • Code generators (TOTP / 2FA)
    Authentication methods

    View Slide

  12. Welcome to the Finnair lounge. Please enjoy
    complimentary access to the New York Times.

    View Slide

  13. IP based authentication
    User Fastly Origin
    200 OK
    Set-Cookie: ip_special=
    name=Helsinki%20Air...
    GET /home/us
    User in recognised location
    accesses a page. The user’s IP
    is readable as client.ip.
    User receives premium content
    and cookie enables additional
    client-side progressive
    enhancement
    Consult Edge Dictionary,
    Set upstream header
    GET /home/us
    Fastly-ID: premium-ip
    200 OK
    Vary: Fastly-ID
    table ip_special {
    "23.65.123.7": "name=Hels..",
    ...
    }
    Store two variants in the cache,
    Set additional edge metadata
    using a short-lived cookie.
    fiddle.fastlydemo.net/fiddle/
    ce76d16c

    View Slide

  14. fiddle.fastlydemo.net/fiddle/
    a7162845
    HTTP authentication

    View Slide

  15. View Slide

  16. State?

    View Slide

  17. Maintaining state with edge-managed cookies
    Identity persists as cookies:
    Cookie: auth=fgt983tgc9vtSFi
    w4H9asdfF
    Identity persists as headers:
    Fastly-ID: 12565
    Fastly-User-Name: Andrew
    Vary: Fastly-ID
    Fastly-ID: 12565

    View Slide

  18. Header name
    Fastly-ID
    Fastly-User-Name
    Fastly-User-Groups
    Fastly-User-Level
    Fastly-User-Is-Premium
    Example value
    1406535
    Andrew
    eu gdpr premium uk1
    4
    1
    Cardinality (OOM)
    1,000,000
    100,000
    1000
    10
    1

    View Slide

  19. Maintaining state with edge-managed cookies
    fiddle.fastlydemo.net/fiddle/
    c249a659
    User Fastly Auth service Content service
    GET /auth
    200 OK
    POST /auth/login
    200 OK
    Auth-Result: VALID
    Auth-Data: {id:372635,level:
    "Subscriber",name:"Alice"}
    307 Temporary redirect
    Location: /home
    Set-Cookie: auth=#########
    GET /home
    Cookie: auth=#########
    200 OK
    Vary: Auth-Level
    200 OK
    GET /home
    Auth-ID: 372635
    Auth-Level: Subscriber
    Auth-Name: Alice
    Get the login form
    Submit the login form,
    get a session cookie &
    redirect to homepage
    Load homepage, get
    Subscriber-only version

    View Slide

  20. View Slide

  21. Time limited URL tokens
    fiddle.fastlydemo.net/fiddle/
    a04d81ca
    User Fastly Static assets
    200 OK
    GET /vid.mp4?token=9734536_j
    f948fhw0th04htnfpbsnwp9te
    User in recognised location
    accesses a page. The user’s IP
    is readable as client.ip.
    User receives premium content
    and cookie enables additional
    client-side progressive
    enhancement
    - Check signature matches URL
    - Check IP / User-Agent / Referrer
    - Check timestamp is still valid
    - Strip token from URL
    GET /vid.mp4
    200 OK

    View Slide

  22. View Slide

  23. Single sign on
    fiddle.fastlydemo.net/fiddle/
    e405f025
    User Fastly Auth provider
    Content service
    GET /login
    200 OK
    307 Temporary redirect
    Set-Cookie:
    auth=jsfu38vsjneruigereer...
    Location: /article/kittens
    User wants to log in
    Send token to Fastly, get
    session cookie and redirect to
    the article page
    GET https://account.google.com/sso?...
    GET /session?code=d8g...
    Negotiate with the third party,
    get a token
    GET /article/kittens GET /article/kittens
    Use Auth provider’s
    published certificates
    to verify the ID token

    View Slide

  24. Authorization:
    What can I do?

    View Slide

  25. • Identified
    • Level (basic, premium)
    • Group membership
    • Credit balance
    • Environmental/external (territorial rights, time)
    Authorization criteria

    View Slide

  26. Intersecting groups

    View Slide

  27. Intersecting groups
    User Fastly Origin
    200 OK
    GET /article/kittens
    Cookie: auth=iuf34t89qw9a8hvaa...
    Logged-in user attempts to view
    content. Using cookie, we can
    determine their groups.
    Because content requires a
    group membership that the
    user has, the access is allowed
    GET /article/kittens
    200 OK
    Require-Groups: std-premium 7club
    uk eu gdpr std-premium
    std-premium 7club

    View Slide

  28. Metered paywall

    View Slide

  29. Metered paywall
    User Fastly Paywall service
    Content service
    GET /article/kittens
    Cookie: auth=########
    200 OK
    Paywall: https://.../check
    ?id=93535&mode=meter&level=1
    200 OK
    Set-Cookie:
    p={remain:5, total:10}; max-age=10
    Decode user cookie,
    add userid to request, restart.
    GET /check?id=93535&mode=meter&level=1
    Auth-User: 12345
    200 OK
    Paywall-Result: ALLOW
    Paywall-Meta: {remain:5, total:10}
    GET /article/kittens
    GET /article/kittens
    Request a
    protected article
    Restart to recover the requested
    article from cache
    Article delivered with a
    cookie containing paywall
    data for use in UI

    View Slide

  30. Territorial rights
    • IP Geolocation
    • Group intersection
    (region-locked accounts)

    View Slide

  31. Modern web technologies
    Fast, instant payments using
    Payment Request API
    Seamless biometrics and keys
    WebAuthN API

    View Slide

  32. • Identity and authorization can be the most complex parts of your app
    • Many different ways to do this
    • Browser technologies are changing established patterns
    • Using edge logic improves performance and security, simplifies
    architecture
    • Try using Fastly for your identity and access use case!
    Summary

    View Slide

  33. Thanks for listening
    I am Get the slides:
    Andrew Betts
    @triblondon
    [email protected]
    fastly.us/auth-talk

    View Slide