Toru Maesaka Software Engineer, Fastly at Altitude 2016 In this talk, Fastly Engineer Toru Maesaka discusses Fastly’s next-generation API authentication and authorization system. The new system introduces an OAuth 2.0 compliant access token, which — unlike our conventional API keys — is issued on a per-user basis. Tokens provide more flexibility by allowing our customers to reflect their organizational requirements to the way the Fastly API is accessed. Toru also walks through other benefits, including limiting API access via token scoping.

1. Authentication at the edge
Toru Maesaka | Software Engineer, Fastly

2. “The Fastly API is a RESTful API
that supports all features
available through the Fastly user
interface”

3. Fastly API
• Customize how you interact with Fastly

4. Fastly API
• Customize how you interact with Fastly
• Integrate Fastly with your system

5. Fastly API
• Customize how you interact with Fastly
• Integrate Fastly with your system
• Programmatically control Fastly

6. Fastly API
• Customize how you interact with Fastly
• Integrate Fastly with your system
• Programmatically control Fastly
• Do less with Automation

10. Recap: Fastly API key
• Available to all customers

11. Recap: Fastly API key
• Available to all customers
• One key per customer

12. Recap: Fastly API key
• Available to all customers
• One key per customer
• Use by including in Fastly-Key reader

13. Fastly API key limitations
• Key rotation can cause downtime

14. Fastly API key limitations
• Key rotation can cause downtime
• Role based access control is not available

16. Recap: Fastly API key
• Key rotation can cause downtime
• Role based access control is not available
• Affects everyone in the organization

18. We’ve had
lots of
feedback

19. And we’ve
listening

20. API
TokensDesigned to solve API Key limitations

22. API Tokens
• API Tokens are available per user

23. API Tokens
• API Tokens are available per user
• Users can create multiple tokens

24. API Tokens
• API Tokens are available per user
• Users can create multiple tokens
• Two-factor Authentication

25. API Tokens
• API Tokens are available per user
• Users can create multiple tokens
• Two-factor Authentication
• RBAC / Token Authorization

26. API Tokens
• API Tokens are available per user
• Users can create multiple tokens
• Two-factor Authentication
• RBAC / Token Authorization
• Zero downtime token rotation

27. Token Authorization
• Just the right amount of power

28. Token Authorization
• Pinning a Token to a Service

29. Token Authorization
• Pinning a Token to a Service ✔

30. Token Authorization
• Authorization Scope

31. Scope Description
api-key Same access level as an API Key (default)
purge Purge with surrogate-key and URL
purge_all Purge an entire service

32. Creating a token
POST /tokens
curl -H “Fastly-OTP: 123456”
-d “username=me@foo.bar&password=$SECRET”
-d “name=purge_token”
-d “scope=purge”
https://api.fastly.com/tokens

33. Creating a token
POST /tokens
curl -H “Fastly-OTP: 123456”
-d “username=me@foo.bar&password=$SECRET”
-d “name=purge_token”
-d “scope=purge”
https://api.fastly.com/tokens

34. {
“id”: "5YvQH3Rg4bPPkhvPC6WFm2",
“user_id”: "1dZ0KVnlsFXc3ZiW9hsAb3",
“access_token”: "a103bb87a7b4c71ff932f871dd19dabc",
“service_id”: null,
“name”: "Fastly API Token",
“scope”: "api-key"
“created_at”: 2016-06-21T23:04:20+00:00"
}

35. {
“id”: "5YvQH3Rg4bPPkhvPC6WFm2",
“user_id”: "1dZ0KVnlsFXc3ZiW9hsAb3",
“access_token”: "a103bb87a7b4c71ff932f871dd19dabc",
“service_id”: null,
“name”: "Fastly API Token",
“scope”: "api-key"
“created_at”: 2016-06-21T23:04:20+00:00"
}

36. Revoking a token
DELETE /tokens/self
Revokes a token used in the request
DELETE /tokens/:id
Revokes a token based on token id

37. Other features
GET /tokens/self
Get basic information about the token
GET /tokens
List a user’s provisioned tokens
GET /customer/:id/tokens
List all tokens associated to a customer
(for superuser)

38. Where to
from here?

39. Documentation available at:
• https://docs.fastly.com/api/auth