Turning away unwanted traffic close to the source is a common and key use case for edge networks like Fastly, but identity, authentication, and authorization at the edge can go far beyond blocking DDoS. The unique way that you identify your site’s users can probably move to the edge too, allowing you to cut response times in your critical path, offload more origin traffic, and make smarter routing decisions at the edge. In this talk we’ll cover a number of patterns in use by real Fastly customers. Whether you prefer token authentication, pre-shared keys, OAuth, HTTP auth, JSON web tokens, or a complex paywall, learn how you can potentially make your authentication decisions at the edge.

1. presents
Authentication at
the Edge
Andrew Betts | Developer Advocate

2. Who is this guy
• Developer advocate and
product manager at Fastly
• Previously Financial Times and
Nikkei (Japan)
• Elected to the W3C Technical
Architecture Group
• Started out as an intern
developer in the UK air traffic
control service (NATS)

3. Identity

4. Magic, circa 2001
http://intranet/my/example/app
<?php
echo $_SERVER['PHP_AUTH_USER'];
?>

5. Middleware, circa 2010
app.get('/', doAuth, (req, res) => {
res.end(req.user.name);
});

6. New magic, circa 2018
app.get('/', (req, res) => {
res.end(req.get('User-Name'));
});

7. Middleware at the edge?
Validate Normalise Authenticate
OptimiseCORS Compress
Route

8. Authentication
vs Authorisation

9. Authentication Authorisation

10. Authentication:
Who am I?

11. • IP address
• HTTP auth
• Username/password
• Single use tokens
• Single-sign on / OAuth / “Login with Google”
• Code generators (TOTP / 2FA)
Authentication methods

12. Welcome to the Finnair lounge. Please enjoy
complimentary access to the New York Times.

13. IP based authentication
User Fastly Origin
200 OK
Set-Cookie: ip_special=
name=Helsinki%20Air...
GET /home/us
User in recognised location
accesses a page. The user’s IP
is readable as client.ip.
User receives premium content
and cookie enables additional
client-side progressive
enhancement
Consult Edge Dictionary,
Set upstream header
GET /home/us
Fastly-ID: premium-ip
200 OK
Vary: Fastly-ID
table ip_special {
"23.65.123.7": "name=Hels..",
...
}
Store two variants in the cache,
Set additional edge metadata
using a short-lived cookie.
fiddle.fastlydemo.net/fiddle/ce76d16c

14. fiddle.fastlydemo.net/fiddle/a7162845
HTTP authentication

16. State?

17. Maintaining state with edge-managed cookies
Identity persists as cookies:
Cookie: auth=fgt983tgc9vtSFiw4H9as
dfF
Identity persists as headers:
Fastly-ID: 12565
Fastly-User-Name: Andrew
Vary: Fastly-ID
Fastly-ID: 12565

18. Header name
Fastly-ID
Fastly-User-Name
Fastly-User-Groups
Fastly-User-Level
Fastly-User-Is-Premium
Example value
1406535
Andrew
eu gdpr premium uk1
4
1
Cardinality (OOM)
1,000,000
100,000
1000
10
1

19. Maintaining state with edge-managed cookies
fiddle.fastlydemo.net/fiddle/c249a659
User Fastly Auth service Content service
GET /auth
200 OK
POST /auth/login
200 OK
Auth-Result: VALID
Auth-Data: {id:372635,level:
"Subscriber",name:"Alice"}
307 Temporary redirect
Location: /home
Set-Cookie: auth=#########
GET /home
Cookie: auth=#########
200 OK
Vary: Auth-Level200 OK
GET /home
Auth-ID: 372635
Auth-Level: Subscriber
Auth-Name: Alice
Get the login form
Submit the login form,
get a session cookie &
redirect to homepage
Load homepage, get
Subscriber-only version

21. Time limited URL tokens
fiddle.fastlydemo.net/fiddle/a04d81ca
User Fastly Static assets
200 OK
GET /vid.mp4?token=9734536_jf948f
hw0th04htnfpbsnwp9te
User in recognised location
accesses a page. The user’s IP
is readable as client.ip.
User receives premium content
and cookie enables additional
client-side progressive
enhancement
- Check signature matches URL
- Check IP / User-Agent / Referrer
- Check timestamp is still valid
- Strip token from URL
GET /vid.mp4
200 OK

23. Single sign on
fiddle.fastlydemo.net/fiddle/e405f025
User Fastly Auth providerContent service
GET /login
200 OK
307 Temporary redirect
Set-Cookie:
auth=jsfu38vsjneruigereer...
Location: /article/kittens
User wants to log in
Send token to Fastly, get
session cookie and redirect to
the article page
GET https://account.google.com/sso?...
GET /session?code=d8g...
Negotiate with the third party,
get a token
GET /article/kittens GET /article/kittens
Use Auth provider’s
published certificates
to verify the ID token

24. Authorization:
What can I do?

25. • Identified
• Level (basic, premium)
• Group membership
• Credit balance
• Environmental/external (territorial rights, time)
Authorization criteria

26. Intersecting groups

27. Intersecting groups
User Fastly Origin
200 OK
GET /article/kittens
Cookie: auth=iuf34t89qw9a8hvaa...
Logged-in user attempts to view
content. Using cookie, we can
determine their groups.
Because content requires a
group membership that the
user has, the access is allowed
GET /article/kittens
200 OK
Require-Groups: std-premium 7club
uk eu gdpr std-premium
std-premium 7club

28. Metered paywall

29. Metered paywall
User Fastly Paywall serviceContent service
GET /article/kittens
Cookie: auth=########
200 OK
200 OK
Paywall: https://.../check
?id=93535&mode=meter&level=1
200 OK
Set-Cookie:
p={remain:5, total:10}; max-age=10
Decode user cookie,
add userid to request, restart.
GET /check?id=93535&mode=meter&level=1
Auth-User: 12345
200 OK
Paywall-Result: ALLOW
Paywall-Meta: {remain:5, total:10}
GET /article/kittens
GET /article/kittens
Request a
protected article
Restart to recover the requested
article from cache
Article delivered with a
cookie containing paywall
data for use in UI

30. Territorial rights
• IP Geolocation
• Group intersection (region-
locked accounts)

31. Modern web technologies
Fast, instant payments using
Payment Request API
Seamless biometrics and keys
WebAuthN API

32. • Identity and authorization can be the most complex parts of your app
• Many different ways to do this
• Browser technologies are changing established patterns
• Using edge logic improves performance and security, simplifies
architecture
• Try using Fastly for your identity and access use case!
Summary

33. Thanks for listening
I am Get the slides:
Andrew Betts
@triblondon
abetts@fastly.com
fastly.us/auth-talk