Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market

Published byNeal Stokes Modified over 6 years ago

Similar presentations

Presentation on theme: "Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market"— Presentation transcript:

1

2 Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market
DrupalCon Nashville 2018

3 These Guys Dr J Daverth Technical Lead, Whole Foods Market
D.O.: dr-jay BitBucket: drjdaverth LinkedIn: drjdaverth Adam Weingarten Senior Technical Architect, Acquia D.O.: adam.weingarten GitHub: aweingarten LinkedIn: adam.weingarten

4 Brought to you by

5 What are we going to talk about?
● Why scaling authenticated traffic is hard? ● What is sessionless auth? ● How can you use it to manage a single login to multiple sites ● Working with an external auth provider (Janrain) ● PIIaaS! Storing PII as a Service in an API. ● Proxying web-service calls - don’t do it! ● How to delegate oauth tokens

6 Case Study: www.wholefoodsmarket.com
Launched July 2012 on Drupal 7 Designed for a much more static world Full page refreshes Not service based

7 Deep dive into the issues on D7
Primitive Janrain Social Integration: Really heavy weight on page load Bloated DB. Copies took forever. Stored unnecessary PII Authenticated experiences required full page loads. Meant things weren’t cacheable.

8 You want your food to be grown organically not your website

9 D8 High Level Goals

10 Technical Drivers Support 10% Authenticated Traffic
SSO between D7 and D8 Personalized Digital Experience Mobile / Responsive Experience

11 Back to the Basics

12 Scaling Anonymous Traffic Is Easy
Can let CDN do the lifting: Fastly, Akamai, CloudFlare. Varnish in front of your webs Hit your origin. Store the information at Varnish and CDN. Caching solves all the problems.

13 What is a session?

14 What is a PHP Session?

15 What does it look like?

16 Why are sessions a PAIN? HTTP/1.1 200 OK Age: 0
Cache-Control: must-revalidate, no-cache, private Via: 1.1 varnish-v4 Connection: keep-alive X-Cache: MISS, MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S ,VS0,VE296 Bypasses cache. No cache for you!

17 Under Pressure Your DB and your webserver

18 Opposition of Forces New experience requires personalization
Our infrastructure sucks at personalized data Your DB and your webserver

19 Oh did you forget we also need to support seamless login to D7 and D8?
Login to one system, and let the second system hit a service to confirm a user is authenticated Set a token that both sites can read Umm yeah that…. How ….

20 Solutions not problems After we have crushed your soul let’s build you back up.

21 Traditional Auth Yeah they’re cool Get session data
MySql with Session tables IDP Authenticates Drupal 8 Return session data Return personalized data Umm yeah that…. How ….

22 Sessionless Auth User authenticates with something.
Once they pass the bouncer give them an encrypted token. User can’t read it Any time they try to do something special they present the token. Then the bouncer decrypts it and lets them through.

23 From Drupal’s POV User authenticates with something.
Once they pass the bouncer give them an encrypted token. User can’t read it Any time they try to do something special they present the token. Then the bouncer decrypts it and lets them through.

24 What is in the magic encrypted token?
Anything that might live in a PHP Session or User table API UserIDs Session Expiration time Umm yeah that…. How ….

25 How does this let me do D7 and D8?
Assuming that the 2 sites are on the same domain or subdomain Both sites can read the cookie Shared decryption key both can read it. I login on D8 -> I go to a page being hosted at D7 Umm yeah that…. How ….

26 I used to log people out by truncating the session table. Now what?
Umm yeah that…. How ….

27 We can show you how to prevent world domination by zombies
Umm yeah that…. HowTake current time + session lifetime. If the timestamp in the decrypted cookie < current time + session lifetime. Then send back an expiration message and handle it on the frontend.

28 Cookies: Fresh baked, stale, or burned to a crisp?
Set Cookie Cookie Expiration Joe signs in 9/7/17 8:00 AM 10/7/17 8:00 AM Adam kicks everyone out 9/7/17 10:00 AM 10/7/17 10:00 AM Saul Logs in 9/7/17 11:00 AM 10/7/17 11:00 AM

29 PIIaaS: Storing PII as a Service in an API

30 PII As a service All personalized content on IOS, Android and Web via API Drupal is a consumer of the API like anyone else No db calls, no PII unnecessarily stored on Drupal Clear separation of concerns.

31 Lesson Learned: Proxying webservice calls is bad!

32 Yeah this is why it’s really bad….
Latency. Each web-server has a finite number of concurrent PHP procs When you make a webservice call you tie up those procs waiting for a response. Limits transactions per-second.

33 How do I fix it?

34 Browser can access the API layer directly without an intermediary

35 How Scalable?

36 Very Scalable

37 Ended up with ….. Scalable System
Separation of concerns: Each part of our stack can focus on doing 1 thing well.

38 Questions?

39 Join us for contribution sprints #drupalsprint Friday, April 13, 2018
Mentored Core sprint First time sprinter workshop General sprint 9:00-12:00 Room: Stolz 2 9:00-12:00 Room: Stolz 2 9:00-12:00 Room: Stolz 2 #drupalsprint

40 Locate this session at the DrupalCon Nashville website:
What did you think? Locate this session at the DrupalCon Nashville website: Take the Survey!

Download ppt "Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market"

Similar presentations

Not like the State of Virginia. What is State in ASP.NET? Services (like web services) are Stateless. This means if you make a second request to a server,

Not like the State of Virginia. What is State in ASP.NET? Services (like web services) are Stateless. This means if you make a second request to a server,
Testing Web Applications & Services Testing Web Applications & Web Services.

Testing Web Applications & Services Testing Web Applications & Web Services.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.

1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.
The Definition Of Crazy Insanity Chris Porter D.O netw3rker

The Definition Of Crazy Insanity Chris Porter D.O netw3rker
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
1 Caching in HTTP Representation and Management of Data on the Internet.

1 Caching in HTTP Representation and Management of Data on the Internet.
What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.

What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.
FlexForm Login form integration Copyright ©2008 Collective Software, LLC.

FlexForm Login form integration Copyright ©2008 Collective Software, LLC.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Web Cache. Introduction what is web cache?  Introducing proxy servers at certain points in the network that serve in caching Web documents for faster.

Web Cache. Introduction what is web cache?  Introducing proxy servers at certain points in the network that serve in caching Web documents for faster.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Portal … from the trenches! Deployment Patterns

Portal … from the trenches! Deployment Patterns
1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.
ACM Web Development Workshop - PHP By Luis Torres.

ACM Web Development Workshop - PHP By Luis Torres.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Web Caching: Replication on the World Wide Web Jonathan Bulava CSC8530 – Distributed Systems Dr. Paul Schragger.

Web Caching: Replication on the World Wide Web Jonathan Bulava CSC8530 – Distributed Systems Dr. Paul Schragger.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

Similar presentations

Ads by Google