Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market BADCamp 2017
These Guys Dr J Daverth Technical Lead, Whole Foods Market D.O.: dr-jay BitBucket: drjdaverth LinkedIn: drjdaverth Adam Weingarten Senior Technical Architect, Acquia D.O.: adam.weingarten GitHub: aweingarten LinkedIn: adam.weingarten Page 2
Brought to you by Page 3
What are we going to talk about? Why scaling authenticated traffic is hard? What is sessionless auth? How can you use it to manage a single login to multiple sites Working with an external auth provider (Janrain) PIIaaS! Storing PII as a Service in an API. Proxying web-service calls - don t do it! How to delegate oauth tokens
Case Study: www.wholefoodsmarket.com Launched July 2012 on Drupal 7 Designed for a much more static world Full page refreshes Not service based
Deep dive into the issues on D7 Primitive Janrain Social Integration: Really heavy weight on page load Bloated DB. Copies took forever. Stored unnecessary PII Authenticated experiences required full page loads. Meant things weren t cacheable.
You want your food to be grown organically not your website
D8 High Level Goals
Technical Drivers Support 10% Authenticated Traffic SSO between D7 and D8 Personalized Digital Experience Mobile / Responsive Experience
Back to the Basics
Scaling Anonymous Traffic Is Easy Can let CDN do the lifting: Fastly, Akamai, CloudFlare. Varnish in front of your webs Hit your origin. Store the information at Varnish and CDN. Caching solves all the problems.
What is a session? The sequence of interactions between client and server, or between user and system; the period during which a user is logged in or connected. -- Thus spoke Wikipedia
What is a PHP Session? - $_SESSION super global - Start with session_start() early in your PHP script. - Drupal wraps it and stores data across requests in the DB - Uses a cookie value to ID you
What does it look like?
Why are sessions a PAIN? HTTP/1.1 200 OK Age: 0 Cache-Control: must-revalidate, no-cache, private Via: 1.1 varnish-v4 Connection: keep-alive X-Cache: MISS, MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S1508437362.252176,VS0,VE296
Under Pressure
Opposition of Forces New experience requires personalization Our infrastructure sucks at personalized data
Oh did you forget we also need to support seamless login to D7 and D8? Login to one system, and let the second system hit a service to confirm a user is authenticated Set a token that both sites can read
Solutions not problems After we have crushed your soul let s build you back up.
Traditional Auth Get session Data Yeah they re cool Authenticates IDP Return personalized data Drupal 8 MySql with Session tables Return session data
Sessionless Auth
From Drupal s POV
What is in the magic encrypted token? Anything that might live in a PHP Session or User table API UserIDs Session Expiration time
How does this let me do D7 and D8? Assuming that the 2 sites are on the same domain or subdomain Both sites can read the cookie Shared decryption key both can read it. I login on D8 -> I go to a page being hosted at D7
I used to log people out by truncating the session table. Now what?
We can show you how to prevent world domination by zombies
Set Cookie Cookie Expiration Joe signs in 9/7/17 8:00 AM 10/7/17 8:00 AM Adam kicks everyone out 9/7/17 10:00 AM 10/7/17 10:00 AM Saul Logs in 9/7/17 11:00 AM 10/7/17 11:00 AM Cookies: Fresh baked, stale, or burned to a crisp?
PIIaaS: Storing PII as a Service in an API
PII As a service All personalized content on IOS, Android and Web via API Drupal is a consumer of the API like anyone else No db calls, no PII unnecessarily stored on Drupal Clear separation of concerns.
Proxying webservice calls is bad.
Yeah this is why it s really bad. Latency. Each web-server has a finite number of concurrent PHP procs When you make a webservice call you tie up those procs waiting for a response. Limits transactions per-second.
How do I fix it?
Browser can access the API layer directly without an intermediary
How Scalable?
Very Scalable
Ended up with.. Scalable System Separation of concerns: Each part of our stack can focus on doing 1 thing well.
Questions?
Thank you!