EDGE ORIGINS MID-TIER SERVICES API Netflix Microservices Device Auth Zuul Service subscriber SIGNUP Legacy FLOW auth SERVICE API service EAS Lolomo / Search NodeJS Discovery Services API DRM Playback Cookie MSL Partner Other services API Service Service Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
EDGE ORIGINS MID-TIER SERVICES API Netflix Microservices Device Auth Zuul Service subscriber SIGNUP Legacy FLOW auth SERVICE API service EAS Lolomo / Search NodeJS Discovery Services API DRM Playback Cookie MSL Partner Other services API Service Service Service EDGE AUTHENTICATION SERVICES User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
EDGE valid and not expired 95% Zuul EAS renewal / device auth / key exchange 5% Cookie MSL Partner Service Service Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
EDGE valid but expired Zuul EAS renewal call Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
EDGE valid but expired Zuul EAS renewal call failed Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
EDGE valid but expired resolved identity Zuul EAS renewal call rescheduled Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
EDGE valid but expired resolved identity Zuul rescheduled cookie EAS renewal call rescheduled Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
EDGE ORIGINS MID-TIER SERVICES API Netflix Microservices Device Auth Zuul Service subscriber SIGNUP Legacy FLOW auth SERVICE API service EAS Lolomo / Search NodeJS Discovery Services API DRM Playback Cookie MSL Partner Other services API Service Service Service EDGE AUTHENTICATION SERVICES User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
EDGE ORIGINS MID-TIER SERVICES API Netflix Microservices Device Auth Zuul Service subscriber SIGNUP Legacy FLOW auth SERVICE API service EAS Lolomo / NodeJS Discovery Search Services API DRM Playback Cookie MSL Partner API Other services Service Service Service EDGE AUTHENTICATION SERVICES User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport - Identity structure created at the edge for each request User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport - Identity structure created at the edge for each request - Contains user & device identity User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem - Integrity protected by HMAC User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem - Integrity protected by HMAC - Protobuf format User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message Passport { Header header = 1; UserInfo user_info = 2 ; DeviceInfo device_info = 3 ; Integrity user_integrity = 4 ; Integrity device_integrity = 5 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message Header { string originator = 1; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message UserInfo { Source source = 1 ; AuthenticationLevel auth_level = 2 ; Int64Wrapper customer_id = 3 ; Int64Wrapper account_owner_id = 4 ; repeated UserAction actions = ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3 ; Integrity user_integrity = 4; Integrity device_integrity = 5; } message DeviceInfo { Source source = 1 ; AuthenticationLevel auth_level = 2 ; StringValue esn = 3 ; Int32Value device_type = 4 ; repeated DeviceAction actions = 5 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message UserInfo { Source source = 1 ; AuthenticationLevel auth_level = 2 ; } message DeviceInfo { Source source = 1 ; AuthenticationLevel auth_level = 2 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message UserInfo { Source source = 1 ; AuthenticationLevel auth_level = 2; } message DeviceInfo { Source source = 1 ; AuthenticationLevel auth_level = 2; } enum Source { COOKIE = 1 ; MSL = 2 ; PARTNER_TOKEN = 3 ; CTICKET = 4 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2 ; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2 ; } enum AuthenticationLevel { LOW = 1 ; // untrusted transport HIGH = 2 ; // secure tokens over TLS HIGHEST = 3 ; // MSL or user credentials } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message Integrity { string key_name = 1 ; bytes hmac = 2 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Introspector - Wrapper over passport binary data User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Introspector - Wrapper over passport public interface PassportIntrospector { binary data Long getCustomerId (); Long getAccountOwnerId (); String getEsn (); String getPassportAsString (); ... } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Introspector - Wrapper over passport public interface PassportIntrospector { binary data Long getCustomerId (); Long getAccountOwnerId (); String getEsn (); String getPassportAsString (); ... } - Consumers create factory.createIntrospector(passport); passportIntrospector from binary passport data User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Tooling Self-service tool for teams to decrypt passport User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Actions message UserInfo { repeated UserAction actions = 6 ; ... } message DeviceInfo { repeated DeviceAction actions = 5 ; ... } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Actions - Explicit signal sent by the message UserInfo { repeated UserAction actions = 6 ; downstream services, when an update ... to user or device identity has been } performed message DeviceInfo { repeated DeviceAction actions = 5 ; ... } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Actions - Explicit signal sent by the message UserInfo { repeated UserAction actions = 6 ; downstream services, when an update ... to user or device identity has been } performed message DeviceInfo { repeated DeviceAction actions = 5 ; - This "signal" is used by EAS to either ... create or update the corresponding } type of token User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: User Login User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: User Login EDGE Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 Zuul User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: User Login EDGE ORIGIN (Device Bound) Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 /login Zuul API User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: User Login MID-TIER SERVICES EDGE ORIGIN (Device Bound) Netflix Microservices Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 /login Zuul API auth service success User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: User Login MID-TIER SERVICES EDGE ORIGIN (Device Bound) Netflix Microservices Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 /login Zuul API auth service success user login user login User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: User Login MID-TIER SERVICES EDGE ORIGIN (Device Bound) Netflix Microservices Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 /login Zuul API auth service Set-Cookie success user login user login Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: Profile Switch User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: Profile Switch - Each profile has its own identity User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Action: Profile Switch - Each profile has its own identity - Switched profile tokens sent back to the device User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Passport Actions Separation Of Increased Concerns Visibility User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
What we did - Moved authentication to the edge - Streamlined the identity resolution and mutation path - Making consumption of user & device identity - Efficient, secure & simple User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Wins User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Token Agnostic Identity Downstream systems don't have to worry about authentication concerns User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Simplified Authorization Downstream services use authentication level for authorization decisions User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Simplified Authorization Before: long customerId = 2123125603L; String ESN = "NFXBOX-235F … "; User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Extensible Identity Model New attributes about user or device can be added User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Local cache for up to date message UserInfo { subscriber data BytesValue subscriber_account ... } Placeholder for local cache of subscriber data User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Offloaded & Offloaded token processing which Fine Tuned resulted into significant gains for - CPU - Request Latency - GC - Cluster Footprint We were able to fine-tune EAS systems based on the token processing profile User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Recommend
More recommend