Our road to Single Sign-On, DocPlanner

OUR ROAD TO SINGLE SIGN-ON


Maciej Szkamruk (@ex3v)

• backend dev@activation team • joined DP ~1.5 years ago • huge fan of cooking, cheap memes

and code that really helps people

Tomasz Wojcik (@prgTW)

• backend dev@CRM team • been with DP since dinosaurs • worships Grumpy Cat, morning coffee

and code reviews in the middle of the night

WHO ARE WE?


We are

We help people find doctors online

WHO ARE WE?


A BIT OF HISTORY


HOW IT ALL STARTED | HISTORY

• branched off from GoldenLine

• founded to share opinions about doctors

• ads were the only source of income

• about 5 people onboard


CALENDAR - MVP THAT GOT SERIOUS | HISTORY

• first step: mockups only

• visitors were curious about it… therefore MVP

• first deals with doctors

• 2k visits booked during 1st quarter


~4 years ago

BEFORE VS. NOW | HISTORY

2k visits booked during 1st quarter


~4 years ago

2k visits booked every few hours!today

BEFORE VS. NOW | HISTORY

2k visits booked during 1st quarter


Poland

FIRST MARKET | HISTORY


Poland

Colombia

Spain

HungaryPeru ArgentinaBrazil

Czech Republic

GermanySweden

UkraineAustria

Bulgaria

France

India

Italy

Portugal

South Africa

CURRENT MARKETS | HISTORY

Chile

Turkey

Mexico

Russia

Slovakia


• over 100GB of production data

• 17M requests and 100GB of logs every day

• ~2.7M SLOC & 10k new SLOCs every week

• about 30 folks in IT & Product

LET’S TALK NUMBERS | HISTORY


LET’S TALK MONEY | HISTORY

• every startup needs money to grow

• few financing rounds, $34M raised

• $20M raised in last (series C) round


LET’S TALK MONEY | HISTORY


+

DOCTORALIA MERGE | HISTORY


+• relational

• PHP

• monolith

• mostly non-relational

• C#

• splitted into few apps

DOCTORALIA MERGE | HISTORY


OK, BUT WHERE’S SSO IN IT?


FROM MONOLITH TO MICROSERVICES | SSO

The Ugly Monolith


• DocPlanner is getting slower

• ~2.7M lines of code

• we want coherence between DocPlanner and Doctoralia



CRM OpinionsAdmin tools

Search ProfileModeration

Calendar IntegrationsAPI

Questions & Answers Mobile



Authorization

CRM

Questions & Answers

OpinionsAdmin tools



Mobile



Authorization

Authentication

CRM

Questions & Answers

OpinionsAdmin tools



Mobile



Authorization

Authentication (Form, FB, VK, LDAP, GApps)

CRM

Questions & Answers

OpinionsAdmin tools



Mobile



AuthenticationIs it really me?

AuthorizationAm I allowed (authorized) to do that?

AUTHENTICATION VS. AUTHORIZATION | SSO


CalendarIntegrationsAuthorizationAuthentication

Q & AAuthorizationAuthentication

SearchProfile

AuthorizationAuthentication

CRMAuthorizationAuthentication

OpinionsModeration

AuthorizationAuthentication

Admin toolsAuthorizationAuthentication



CalendarIntegrationsAuthorization

LDAP

Q & AAuthorizationForm, FB, VK

SearchProfile

AuthorizationForm, FB, VK

CRMAuthorizationLDAP, GApps

OpinionsModeration

AuthorizationForm, FB, VK

Admin toolsAuthorizationLDAP, GApps



SearchProfile

Authorization

CRMAuthorization

CalendarIntegrationsAuthorization

OpinionsModeration

Authorization

Q & AAuthorization

Admin toolsAuthorization

Authentication Form, FB, VK

LDAP GApps



A single place of login into multiple applications (that are compatible with this Single Sign-On)

WHAT IS A SINGLE SIGN-ON | SSO



SRP Single Responsibility Principle



SRPSingle Responsibility Principle

1. SSO is the only place that authenticates clients and users

2. Other apps and microservices shouldn’t care about authentication



⧖Multiple login methods

SSO AuthDomain apps or microservices



MUCH LOGIN METHODS

WOW


HOW TO ACHIEVE THE GOAL (CHALLENGE WEEK)


• product folks wants sth to be done

• we (devs) want sth to be done

• tech requirements

• tech debt

REASONS FOR NEW FEATURES | CHALLENGE WEEK


THE CONCEPT | CHALLENGE WEEK

• find something you want to do

• find a companion

• one week for planning

• one week for coding

• summary day

SSO

Me & Tomek

checked

MVP


IMPLEMENTATION (FORDEC PROCEDURE)


FACTS | FORDEC PROCEDURE

• serious plans for building microservices

• authentication layer needs to be decoupled from monolith

• authentication must work in SPA’s

• authentication must work in API’s

• ability to login via 3rd parties (Facebook, LDAP, GApps etc.)

• keeping user data in-house is preferred

• 1-week time limit


OPTIONS | FORDEC PROCEDURE

• share session

• buy SaaS

• install SaaS in-house

• build custom microservice


RISKS & BENEFITS | FORDEC PROCEDURE

PROPRIETARY SOLUTIONSAAS / INSTALLED SAAS

• certain amount of job already done

• learning curve

• possible limitations

• latency

• possible cost-inefficiency

• end-of-life problems (f.ex. xpect.io)

• known technologies

• full control over data

• build from scratch

• security benefits

• maintenance time


DECIDE | FORDEC PROCEDURE

We decided to build our own solution after all (there’s always a way to switch to SaaS if needed)


MICROSERVICE SSO 3RD PARTYCLIENT

EXECUTE | FORDEC PROCEDURE


LOGIN FLOW | EXECUTE | FORDEC PROCEDURE


1requests auth

7returns user information

6validates SSO token

2requests OAuth token

3returns OAuth token

5requests resource w/ token

8returns resource

4SSO token / redirect


“REMEMBER ME” FLOW | EXECUTE | FORDEC PROCEDURE


4requests resource w/ token

3SSO token / redirect

automatically logs user in2

7returns user information


8returns resource

1requests auth


LOGOUT FLOW | EXECUTE | FORDEC PROCEDURE


4requests resource w/o token

3204 no content / redirect

revokes access token(s)2

6returns no user information


1requests logout

7403 unauthorised


We could use JWT

JWT | EXECUTE | FORDEC PROCEDURE


header

{ "alg": "HS256", "typ": "JWT" }

payload

{ "sub": "1234567890", "name": "John Doe", "admin": true }

verify signature

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )

ENCODEDDECODED

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

JWT STRUCTURE | EXECUTE | FORDEC PROCEDURE


CONSPROS

• no additional requests

• SPA friendly

• easy interchangeable w/ access token

• reuses “Authorization: Bearer [token]” header

• unaware of changes

• valid forever

• cannot be invalidated

JWT PROS & CONS | EXECUTE | FORDEC PROCEDURE


EXAMPLE STACK | EXECUTE | FORDEC PROCEDURE

• Symfony 3

• FOSOAuthServer - for integrating microservices with SSO

• HWIOAuthBundle - for integrating SSO with 3rd parties

• NelmioCorsBundle - for allowing SPA’s to communicate with SSO


HOW TO DEPLOY IT?


DEPLOYMENT STRATEGY | EXECUTE | FORDEC PROCEDURE


in-house tests

few smaller markets

big market

everywhere

DEPLOYMENT STRATEGY | EXECUTE | FORDEC PROCEDURE

feedback

feedback

feedback

adjustments

adjustments

adjustments


GATEKEEPER | EXECUTE | FORDEC PROCEDURE

GateKeeper


• manages every state of a feature

• disabled

• enabled in-house

• enabled everywhere

• separated by locale

• state switch takes seconds

• syncs with app caches



GATEKEEPER - HOW TO USE IT? | EXECUTE | FORDEC PROCEDURE



• Available on GitHub (ZnanyLekarz/GateKeeper)

• lightweight and cached

• integrated w/ Symfony


BENEFITS


USER EXPERIENCE | BENEFITS

• entry point for Doctoralia

• consistent flow

• process transparency

• single-click login is a time saver

• login to every microservice via 3rd parties

• users and employees happier


SECURITY | BENEFITS

• only 1 place where users are prompted for their passwords

• microservices are unaware of users’ credentials

• a place to manage users’ accounts and login sessions

• ability to logout from many services at once

• easy user/application banning


DEVELOPER EXPERIENCE | BENEFITS

• fun and satisfaction :)

• separated codebase

• easy to connect new microservices


REMEMBER

Sometimes a week is all it takes!


THANK YOU!

docplanner.com/career

Join us!

Our road to Single Sign-On, DocPlanner

Technology

Transcript of Our road to Single Sign-On, DocPlanner