Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market. BADCamp 2017

Similar documents
Warm Up to Identity Protocol Soup

Administering Jive Mobile Apps for ios and Android

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

BUILDING THE FASTEST DRUPAL OF THE GALAXY

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

WEB APPLICATION ENGINEERING II

Squirrel case-study. Decentralized peer-to-peer web cache. Traditional centralized web cache. Based on the Pastry peer-to-peer middleware system

Authentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford

DatabaseRESTAPI

Control for CloudFlare - Installation and Preparations

RESTFUL WEB SERVICES - INTERVIEW QUESTIONS

Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On

Computer Networks. HTTP and more. Jianping Pan Spring /20/17 CSC361 1

Your Auth is open! Oversharing with OpenAuth & SAML

MIRO DIETIKER Founder

CSE/EE 461 HTTP and the Web

Authentication CS 4720 Mobile Application Development

SSH with Globus Auth

Approaches for application request throttling. Maarten

Caching. Caching Overview

Eric Sachs Director of Product Management Identity, Google. Pam Dingle Senior Technical Architect Office of the CTO, Ping Identity

TIBCO Cloud Integration Security Overview

Guerilla Scaling In The Wild. Jake Grimley, Managing Director, Made Media Ltd.

Kerberos and Single Sign On with HTTP

High Availability/ Clustering with Zend Platform

Securing APIs and Microservices with OAuth and OpenID Connect

VAM. PeopleSoft Value-Added Module (VAM) Deployment Guide

REST. And now for something completely different. Mike amundsen.com

ArcGIS Server and Portal for ArcGIS An Introduction to Security

How to use or not use the AWS API Gateway for Microservices

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Scaling DreamFactory

Administering Jive Mobile Apps

Life as a Service. Scalability and Other Aspects. Dino Esposito JetBrains ARCHITECT, TRAINER AND CONSULTANT

AppDirector and AppXcel With Oracle Application Server 10g Release 3 ( ) - Oracle SOA Suite Enterprise Deployment

The Z-Files: Field reports from the world of business critical PHP applications

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Beginner's Guide to Performance! Jonathan Rowny

Using WebGallery, WebDeploy and some IIS Extensions

Salesforce External Identity Implementation Guide

Microsoft Graph API Deep Dive

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

FREQUENTLY ASKED QUESTIONS (FAQs)

Salesforce External Identity Implementation Guide

Configuring Caching Services

Modern Identity Management Patterns for Microservices and Mobile

Topic 15: Authentication

Distributed Systems. 21. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

Access Management Handbook

Yahoo Traffic Server -a Powerful Cloud Gatekeeper

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OpenIAM Identity and Access Manager Technical Architecture Overview

Single Sign-On Showdown

Coding for OCS. Derek Endres Software Developer Research #OSIsoftUC #PIWorld 2018 OSIsoft, LLC

Authentication with OAuth 2.0

Personal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018

Overview Content Delivery Computer Networking Lecture 15: The Web Peter Steenkiste. Fall 2016

The New Net, Edge Computing, and Services. Michael R. Nelson, Ph.D. Tech Strategy, Cloudflare May 2018

DATAOPS.BARCELONA SIMPLIFYING IDENTITY MANAGEMENT WITH SSO TOOLS

Persistence & State. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Hypertext Transport Protocol HTTP/1.1

Reza Tourani, Satyajayant (Jay) Misra, Travis Mick

PowerExchange for Facebook: How to Configure Open Authentication using the OAuth Utility

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder


Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

[GSoC Proposal] Securing Airavata API

Real World Web Scalability. Ask Bjørn Hansen Develooper LLC

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

Building on the Globus Python SDK

Black Box DCX3000 / DCX1000 Using the API

Distributed Architectures & Microservices. CS 475, Spring 2018 Concurrent & Distributed Systems

Salesforce External Identity Implementation Guide

P2_L12 Web Security Page 1

GroupWise Architecture and Best Practices. WebAccess. Kiran Palagiri Team Lead GroupWise WebAccess

Using OAuth 2.0 to Access ionbiz APIs

CIT 668: System Architecture. Caching

Force.com Mobile Web with Sencha Touch

EMPOWER2018 Quick Base + Workato Workjam

Security & Privacy. Larry Rudolph. Pervasive Computing MIT SMA 5508 Spring 2006 Larry Rudolph

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Scaling Without Sharding. Baron Schwartz Percona Inc Surge 2010

CMPE 151: Network Administration. Servers

Designing, Scoping, and Configuring Scalable LAMP Infrastructure

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

Avoka Transact Reference Architectures. Version 4.0

Lecture 7: Dates/Times & Sessions. CS 383 Web Development II Wednesday, February 14, 2018

Persistence. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Lecture 9a: Sessions and Cookies

Depending on your location and needs we can accommodate your application at one of our established data centers:

Authentication in the Cloud. Stefan Seelmann

The case for IPv6-only data centres...and how to pull it off in today's IPv4-dominated world

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Connect. explained. Vladimir Dzhuvinov. :

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

Transcription:

Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market BADCamp 2017

These Guys Dr J Daverth Technical Lead, Whole Foods Market D.O.: dr-jay BitBucket: drjdaverth LinkedIn: drjdaverth Adam Weingarten Senior Technical Architect, Acquia D.O.: adam.weingarten GitHub: aweingarten LinkedIn: adam.weingarten Page 2

Brought to you by Page 3

What are we going to talk about? Why scaling authenticated traffic is hard? What is sessionless auth? How can you use it to manage a single login to multiple sites Working with an external auth provider (Janrain) PIIaaS! Storing PII as a Service in an API. Proxying web-service calls - don t do it! How to delegate oauth tokens

Case Study: www.wholefoodsmarket.com Launched July 2012 on Drupal 7 Designed for a much more static world Full page refreshes Not service based

Deep dive into the issues on D7 Primitive Janrain Social Integration: Really heavy weight on page load Bloated DB. Copies took forever. Stored unnecessary PII Authenticated experiences required full page loads. Meant things weren t cacheable.

You want your food to be grown organically not your website

D8 High Level Goals

Technical Drivers Support 10% Authenticated Traffic SSO between D7 and D8 Personalized Digital Experience Mobile / Responsive Experience

Back to the Basics

Scaling Anonymous Traffic Is Easy Can let CDN do the lifting: Fastly, Akamai, CloudFlare. Varnish in front of your webs Hit your origin. Store the information at Varnish and CDN. Caching solves all the problems.

What is a session? The sequence of interactions between client and server, or between user and system; the period during which a user is logged in or connected. -- Thus spoke Wikipedia

What is a PHP Session? - $_SESSION super global - Start with session_start() early in your PHP script. - Drupal wraps it and stores data across requests in the DB - Uses a cookie value to ID you

What does it look like?

Why are sessions a PAIN? HTTP/1.1 200 OK Age: 0 Cache-Control: must-revalidate, no-cache, private Via: 1.1 varnish-v4 Connection: keep-alive X-Cache: MISS, MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S1508437362.252176,VS0,VE296

Under Pressure

Opposition of Forces New experience requires personalization Our infrastructure sucks at personalized data

Oh did you forget we also need to support seamless login to D7 and D8? Login to one system, and let the second system hit a service to confirm a user is authenticated Set a token that both sites can read

Solutions not problems After we have crushed your soul let s build you back up.

Traditional Auth Get session Data Yeah they re cool Authenticates IDP Return personalized data Drupal 8 MySql with Session tables Return session data

Sessionless Auth

From Drupal s POV

What is in the magic encrypted token? Anything that might live in a PHP Session or User table API UserIDs Session Expiration time

How does this let me do D7 and D8? Assuming that the 2 sites are on the same domain or subdomain Both sites can read the cookie Shared decryption key both can read it. I login on D8 -> I go to a page being hosted at D7

I used to log people out by truncating the session table. Now what?

We can show you how to prevent world domination by zombies

Set Cookie Cookie Expiration Joe signs in 9/7/17 8:00 AM 10/7/17 8:00 AM Adam kicks everyone out 9/7/17 10:00 AM 10/7/17 10:00 AM Saul Logs in 9/7/17 11:00 AM 10/7/17 11:00 AM Cookies: Fresh baked, stale, or burned to a crisp?

PIIaaS: Storing PII as a Service in an API

PII As a service All personalized content on IOS, Android and Web via API Drupal is a consumer of the API like anyone else No db calls, no PII unnecessarily stored on Drupal Clear separation of concerns.

Proxying webservice calls is bad.

Yeah this is why it s really bad. Latency. Each web-server has a finite number of concurrent PHP procs When you make a webservice call you tie up those procs waiting for a response. Limits transactions per-second.

How do I fix it?

Browser can access the API layer directly without an intermediary

How Scalable?

Very Scalable

Ended up with.. Scalable System Separation of concerns: Each part of our stack can focus on doing 1 thing well.

Questions?

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback