Our road to Single Sign-On, DocPlanner
-
Upload
tomasz-wojcik -
Category
Technology
-
view
508 -
download
1
Transcript of Our road to Single Sign-On, DocPlanner
OUR ROAD TO SINGLE SIGN-ON
Maciej Szkamruk (@ex3v)
• backend dev@activation team • joined DP ~1.5 years ago • huge fan of cooking, cheap memes
and code that really helps people
Tomasz Wojcik (@prgTW)
• backend dev@CRM team • been with DP since dinosaurs • worships Grumpy Cat, morning coffee
and code reviews in the middle of the night
WHO ARE WE?
OUR ROAD TO SINGLE SIGN-ON
HOW IT ALL STARTED | HISTORY
• branched off from GoldenLine
• founded to share opinions about doctors
• ads were the only source of income
• about 5 people onboard
OUR ROAD TO SINGLE SIGN-ON
CALENDAR - MVP THAT GOT SERIOUS | HISTORY
• first step: mockups only
• visitors were curious about it… therefore MVP
• first deals with doctors
• 2k visits booked during 1st quarter
OUR ROAD TO SINGLE SIGN-ON
~4 years ago
BEFORE VS. NOW | HISTORY
2k visits booked during 1st quarter
OUR ROAD TO SINGLE SIGN-ON
~4 years ago
2k visits booked every few hours!today
BEFORE VS. NOW | HISTORY
2k visits booked during 1st quarter
OUR ROAD TO SINGLE SIGN-ON
Poland
Colombia
Spain
HungaryPeru ArgentinaBrazil
Czech Republic
GermanySweden
UkraineAustria
Bulgaria
France
India
Italy
Portugal
South Africa
CURRENT MARKETS | HISTORY
Chile
Turkey
Mexico
Russia
Slovakia
OUR ROAD TO SINGLE SIGN-ON
• over 100GB of production data
• 17M requests and 100GB of logs every day
• ~2.7M SLOC & 10k new SLOCs every week
• about 30 folks in IT & Product
LET’S TALK NUMBERS | HISTORY
OUR ROAD TO SINGLE SIGN-ON
LET’S TALK MONEY | HISTORY
• every startup needs money to grow
• few financing rounds, $34M raised
• $20M raised in last (series C) round
OUR ROAD TO SINGLE SIGN-ON
+• relational
• PHP
• monolith
• mostly non-relational
• C#
• splitted into few apps
DOCTORALIA MERGE | HISTORY
OUR ROAD TO SINGLE SIGN-ON
• DocPlanner is getting slower
• ~2.7M lines of code
• we want coherence between DocPlanner and Doctoralia
FROM MONOLITH TO MICROSERVICES | SSO
OUR ROAD TO SINGLE SIGN-ON
CRM OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Questions & Answers Mobile
FROM MONOLITH TO MICROSERVICES | SSO
OUR ROAD TO SINGLE SIGN-ON
Authorization
CRM
Questions & Answers
OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Mobile
FROM MONOLITH TO MICROSERVICES | SSO
OUR ROAD TO SINGLE SIGN-ON
Authorization
Authentication
CRM
Questions & Answers
OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Mobile
FROM MONOLITH TO MICROSERVICES | SSO
OUR ROAD TO SINGLE SIGN-ON
Authorization
Authentication (Form, FB, VK, LDAP, GApps)
CRM
Questions & Answers
OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Mobile
FROM MONOLITH TO MICROSERVICES | SSO
OUR ROAD TO SINGLE SIGN-ON
AuthenticationIs it really me?
AuthorizationAm I allowed (authorized) to do that?
AUTHENTICATION VS. AUTHORIZATION | SSO
OUR ROAD TO SINGLE SIGN-ON
CalendarIntegrationsAuthorizationAuthentication
Q & AAuthorizationAuthentication
SearchProfile
AuthorizationAuthentication
CRMAuthorizationAuthentication
OpinionsModeration
AuthorizationAuthentication
Admin toolsAuthorizationAuthentication
FROM MONOLITH TO MICROSERVICES | SSO
OUR ROAD TO SINGLE SIGN-ON
CalendarIntegrationsAuthorization
LDAP
Q & AAuthorizationForm, FB, VK
SearchProfile
AuthorizationForm, FB, VK
CRMAuthorizationLDAP, GApps
OpinionsModeration
AuthorizationForm, FB, VK
Admin toolsAuthorizationLDAP, GApps
FROM MONOLITH TO MICROSERVICES | SSO
OUR ROAD TO SINGLE SIGN-ON
SearchProfile
Authorization
CRMAuthorization
CalendarIntegrationsAuthorization
OpinionsModeration
Authorization
Q & AAuthorization
Admin toolsAuthorization
Authentication Form, FB, VK
LDAP GApps
FROM MONOLITH TO MICROSERVICES | SSO
OUR ROAD TO SINGLE SIGN-ON
A single place of login into multiple applications (that are compatible with this Single Sign-On)
WHAT IS A SINGLE SIGN-ON | SSO
OUR ROAD TO SINGLE SIGN-ON
FROM MONOLITH TO MICROSERVICES | SSO
SRPSingle Responsibility Principle
1. SSO is the only place that authenticates clients and users
2. Other apps and microservices shouldn’t care about authentication
OUR ROAD TO SINGLE SIGN-ON
FROM MONOLITH TO MICROSERVICES | SSO
⧖Multiple login methods
SSO AuthDomain apps or microservices
OUR ROAD TO SINGLE SIGN-ON
• product folks wants sth to be done
• we (devs) want sth to be done
• tech requirements
• tech debt
REASONS FOR NEW FEATURES | CHALLENGE WEEK
OUR ROAD TO SINGLE SIGN-ON
THE CONCEPT | CHALLENGE WEEK
• find something you want to do
• find a companion
• one week for planning
• one week for coding
• summary day
SSO
Me & Tomek
checked
MVP
OUR ROAD TO SINGLE SIGN-ON
FACTS | FORDEC PROCEDURE
• serious plans for building microservices
• authentication layer needs to be decoupled from monolith
• authentication must work in SPA’s
• authentication must work in API’s
• ability to login via 3rd parties (Facebook, LDAP, GApps etc.)
• keeping user data in-house is preferred
• 1-week time limit
OUR ROAD TO SINGLE SIGN-ON
OPTIONS | FORDEC PROCEDURE
• share session
• buy SaaS
• install SaaS in-house
• build custom microservice
OUR ROAD TO SINGLE SIGN-ON
RISKS & BENEFITS | FORDEC PROCEDURE
PROPRIETARY SOLUTIONSAAS / INSTALLED SAAS
• certain amount of job already done
• learning curve
• possible limitations
• latency
• possible cost-inefficiency
• end-of-life problems (f.ex. xpect.io)
• known technologies
• full control over data
• build from scratch
• security benefits
• maintenance time
OUR ROAD TO SINGLE SIGN-ON
DECIDE | FORDEC PROCEDURE
We decided to build our own solution after all (there’s always a way to switch to SaaS if needed)
OUR ROAD TO SINGLE SIGN-ON
LOGIN FLOW | EXECUTE | FORDEC PROCEDURE
MICROSERVICE SSO 3RD PARTYCLIENT
1requests auth
7returns user information
6validates SSO token
2requests OAuth token
3returns OAuth token
5requests resource w/ token
8returns resource
4SSO token / redirect
OUR ROAD TO SINGLE SIGN-ON
“REMEMBER ME” FLOW | EXECUTE | FORDEC PROCEDURE
MICROSERVICE SSO 3RD PARTYCLIENT
4requests resource w/ token
3SSO token / redirect
automatically logs user in2
7returns user information
6validates SSO token
8returns resource
1requests auth
OUR ROAD TO SINGLE SIGN-ON
LOGOUT FLOW | EXECUTE | FORDEC PROCEDURE
MICROSERVICE SSO 3RD PARTYCLIENT
4requests resource w/o token
3204 no content / redirect
revokes access token(s)2
6returns no user information
5validates SSO token
1requests logout
7403 unauthorised
OUR ROAD TO SINGLE SIGN-ON
header
{ "alg": "HS256", "typ": "JWT" }
payload
{ "sub": "1234567890", "name": "John Doe", "admin": true }
verify signature
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
ENCODEDDECODED
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
JWT STRUCTURE | EXECUTE | FORDEC PROCEDURE
OUR ROAD TO SINGLE SIGN-ON
CONSPROS
• no additional requests
• SPA friendly
• easy interchangeable w/ access token
• reuses “Authorization: Bearer [token]” header
• unaware of changes
• valid forever
• cannot be invalidated
JWT PROS & CONS | EXECUTE | FORDEC PROCEDURE
OUR ROAD TO SINGLE SIGN-ON
EXAMPLE STACK | EXECUTE | FORDEC PROCEDURE
• Symfony 3
• FOSOAuthServer - for integrating microservices with SSO
• HWIOAuthBundle - for integrating SSO with 3rd parties
• NelmioCorsBundle - for allowing SPA’s to communicate with SSO
OUR ROAD TO SINGLE SIGN-ON
in-house tests
few smaller markets
big market
everywhere
DEPLOYMENT STRATEGY | EXECUTE | FORDEC PROCEDURE
feedback
feedback
feedback
adjustments
adjustments
adjustments
OUR ROAD TO SINGLE SIGN-ON
• manages every state of a feature
• disabled
• enabled in-house
• enabled everywhere
• separated by locale
• state switch takes seconds
• syncs with app caches
GATEKEEPER | EXECUTE | FORDEC PROCEDURE
OUR ROAD TO SINGLE SIGN-ON
GATEKEEPER | EXECUTE | FORDEC PROCEDURE
• Available on GitHub (ZnanyLekarz/GateKeeper)
• lightweight and cached
• integrated w/ Symfony
OUR ROAD TO SINGLE SIGN-ON
USER EXPERIENCE | BENEFITS
• entry point for Doctoralia
• consistent flow
• process transparency
• single-click login is a time saver
• login to every microservice via 3rd parties
• users and employees happier
OUR ROAD TO SINGLE SIGN-ON
SECURITY | BENEFITS
• only 1 place where users are prompted for their passwords
• microservices are unaware of users’ credentials
• a place to manage users’ accounts and login sessions
• ability to logout from many services at once
• easy user/application banning
OUR ROAD TO SINGLE SIGN-ON
DEVELOPER EXPERIENCE | BENEFITS
• fun and satisfaction :)
• separated codebase
• easy to connect new microservices