Turning away unwanted traffic close to the source is a common and key use case for edge networks like Fastly, but identity, authentication, and authorization at the edge can go far beyond blocking DDoS. The unique way that you identify your site’s users can probably move to the edge too, allowing you to cut response times in your critical path, offload more origin traffic, and make smarter routing decisions at the edge.
In this talk we’ll cover a number of patterns in use by real Fastly customers. Whether you prefer token authentication, pre-shared keys, OAuth, HTTP auth, JSON web tokens, or a complex paywall, learn how you can potentially make your authentication decisions at the edge.
2. Who is this guy
• Developer advocate and
product manager at Fastly
• Previously Financial Times and
Nikkei (Japan)
• Elected to the W3C Technical
Architecture Group
• Started out as an intern
developer in the UK air traffic
control service (NATS)
11. • IP address
• HTTP auth
• Username/password
• Single use tokens
• Single-sign on / OAuth / “Login with Google”
• Code generators (TOTP / 2FA)
Authentication methods
12. Welcome to the Finnair lounge. Please enjoy
complimentary access to the New York Times.
13. IP based authentication
User Fastly Origin
200 OK
Set-Cookie: ip_special=
name=Helsinki%20Air...
GET /home/us
User in recognised location
accesses a page. The user’s IP
is readable as client.ip.
User receives premium content
and cookie enables additional
client-side progressive
enhancement
Consult Edge Dictionary,
Set upstream header
GET /home/us
Fastly-ID: premium-ip
200 OK
Vary: Fastly-ID
table ip_special {
"23.65.123.7": "name=Hels..",
...
}
Store two variants in the cache,
Set additional edge metadata
using a short-lived cookie.
fiddle.fastlydemo.net/fiddle/ce76d16c
17. Maintaining state with edge-managed cookies
Identity persists as cookies:
Cookie: auth=fgt983tgc9vtSFiw4H9as
dfF
Identity persists as headers:
Fastly-ID: 12565
Fastly-User-Name: Andrew
Vary: Fastly-ID
Fastly-ID: 12565
19. Maintaining state with edge-managed cookies
fiddle.fastlydemo.net/fiddle/c249a659
User Fastly Auth service Content service
GET /auth
200 OK
POST /auth/login
200 OK
Auth-Result: VALID
Auth-Data: {id:372635,level:
"Subscriber",name:"Alice"}
307 Temporary redirect
Location: /home
Set-Cookie: auth=#########
GET /home
Cookie: auth=#########
200 OK
Vary: Auth-Level200 OK
GET /home
Auth-ID: 372635
Auth-Level: Subscriber
Auth-Name: Alice
Get the login form
Submit the login form,
get a session cookie &
redirect to homepage
Load homepage, get
Subscriber-only version
20.
21. Time limited URL tokens
fiddle.fastlydemo.net/fiddle/a04d81ca
User Fastly Static assets
200 OK
GET /vid.mp4?token=9734536_jf948f
hw0th04htnfpbsnwp9te
User in recognised location
accesses a page. The user’s IP
is readable as client.ip.
User receives premium content
and cookie enables additional
client-side progressive
enhancement
- Check signature matches URL
- Check IP / User-Agent / Referrer
- Check timestamp is still valid
- Strip token from URL
GET /vid.mp4
200 OK
22.
23. Single sign on
fiddle.fastlydemo.net/fiddle/e405f025
User Fastly Auth providerContent service
GET /login
200 OK
307 Temporary redirect
Set-Cookie:
auth=jsfu38vsjneruigereer...
Location: /article/kittens
User wants to log in
Send token to Fastly, get
session cookie and redirect to
the article page
GET https://account.google.com/sso?...
GET /session?code=d8g...
Negotiate with the third party,
get a token
GET /article/kittens GET /article/kittens
Use Auth provider’s
published certificates
to verify the ID token
27. Intersecting groups
User Fastly Origin
200 OK
GET /article/kittens
Cookie: auth=iuf34t89qw9a8hvaa...
Logged-in user attempts to view
content. Using cookie, we can
determine their groups.
Because content requires a
group membership that the
user has, the access is allowed
GET /article/kittens
200 OK
Require-Groups: std-premium 7club
uk eu gdpr std-premium
std-premium 7club
29. Metered paywall
User Fastly Paywall serviceContent service
GET /article/kittens
Cookie: auth=########
200 OK
200 OK
Paywall: https://.../check
?id=93535&mode=meter&level=1
200 OK
Set-Cookie:
p={remain:5, total:10}; max-age=10
Decode user cookie,
add userid to request, restart.
GET /check?id=93535&mode=meter&level=1
Auth-User: 12345
200 OK
Paywall-Result: ALLOW
Paywall-Meta: {remain:5, total:10}
GET /article/kittens
GET /article/kittens
Request a
protected article
Restart to recover the requested
article from cache
Article delivered with a
cookie containing paywall
data for use in UI
32. • Identity and authorization can be the most complex parts of your app
• Many different ways to do this
• Browser technologies are changing established patterns
• Using edge logic improves performance and security, simplifies
architecture
• Try using Fastly for your identity and access use case!
Summary
33. Thanks for listening
I am Get the slides:
Andrew Betts
@triblondon
abetts@fastly.com
fastly.us/auth-talk