SlideShare a Scribd company logo

User & Device Identity for Microservices @ Netflix Scale

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2S9tOgy. Satyajit Thadeshwar provides useful insights on how Netflix implemented a secure, token-agnostic, identity solution that works with services operating at a massive scale. He shares some of the lessons learned from this process, both from architectural diagrams and code. Filmed at qconsf.com. Satyajit Thadeshwar is an engineer on the Product Edge Access Services team at Netflix, where he works on some of the most critical services focusing on user and device authentication. He has more than a decade of experience building fault-tolerant and highly scalable, distributed systems.

1 of 112
User & Device Identity For Microservices @ Netflix Scale Satyajit Thadeshwar QCon San Francisco 2019
InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ netflix-user-identity/
Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Logged out? #$%&!
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Logged out? #$%&!
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Time CoreStreamingMetric Current Last Week
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Satyajit Thadeshwar Product Edge Access Systems sthadeshwar@netflix.com
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Complicated
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar 9 teams 57 watchers
Netflix subscribers and the devices that they use User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Where we were What we did Wins
Where we were User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 User Login
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API EDGE ORIGIN Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 /login User Login
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 /login success User Login
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 /login success User Login customerId: 10192378 ESN: LGTV20165-193456G568 Expires: In 8 hours
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 /login successSet-Cookie User Login customerId: 10192378 ESN: LGTV20165-193456G568 Expires: In 8 hours
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Authenticate Request /browse
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API EDGE ORIGIN /browse Authenticate Request /browse
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API EDGE ORIGIN /browse Authenticate Request success KEY MANAGEMENT SERVICE /browse
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices EDGE ORIGIN /browse Authenticate Request success MID-TIER SERVICES customerId: 10192378 ESN: LGTV20165-193456G568 KEY MANAGEMENT SERVICE /browse
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices EDGE ORIGIN /browse Authenticate Request success MID-TIER SERVICES customerId: 10192378 ESN: LGTV20165-193456G568 KEY MANAGEMENT SERVICE /browse
More than one service consuming cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES/ios /android /atv ...
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
At massive scale User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Netflix 158M+ subscribers
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Netflix 158M+ subscribers 1B+ devices
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Netflix 158M+ subscribers 1B+ devices 2M peak RPS
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Authenticate Request / Extract Identity API ORIGIN KEY MANAGEMENT SERVICE = 2 million Requests Per Second
More than one token type User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Signup
Cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Signup - Login
Cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Signup - Login - Discovery
MSL Tokens User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Device authentication - Encryption Message Security Layer (MSL) https://www.infoq.com/news/2014/11/netflix-msl/
MSL Tokens User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - License - Playback
CTicket User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Legacy devices
Partner Tokens User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - JWS, JWE - Non-member experiences
- Signup - Sign-in - Discovery - License - Playback - Legacy devices - Non-member experience Cookies MSL Tokens CTicket Partner Tokens (JWS, JWE) User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
- Multiple services consuming auth tokens - Multiple types of auth tokens - Massive scale - Inefficient, insecure & complicated Where we were User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback API
What we didUser & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
Moved authentication to the edge User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback API
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback APICookie Service MSL Service Partner Service EAS
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback APICookie Service MSL Service Partner Service EAS EDGE AUTHENTICATION SERVICES
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE EAS renewal / device auth / key exchange Cookie Service MSL Service Partner Service valid and not expired 95% 5%
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Cookie Service EAS valid but expired renewal call
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Cookie Service EAS valid but expired renewal call failed
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Cookie Service EAS valid but expired renewal call rescheduled resolved identity
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Cookie Service EAS valid but expired renewal call rescheduled rescheduled cookie resolved identity
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback APICookie Service MSL Service Partner Service EAS EDGE AUTHENTICATION SERVICES
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback APICookie Service MSL Service Partner Service EAS EDGE AUTHENTICATION SERVICES
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request - Contains user & device identity
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem - Integrity protected by HMAC
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem - Integrity protected by HMAC - Protobuf format
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message Header { string originator = 1; }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2; Int64Wrapper customer_id = 3; Int64Wrapper account_owner_id = 4; repeated UserAction actions = ; }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2; StringValue esn = 3; Int32Value device_type = 4; repeated DeviceAction actions = 5; }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2; }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2; } enum Source { COOKIE = 1; MSL = 2; PARTNER_TOKEN = 3; CTICKET = 4; }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2; } enum AuthenticationLevel { LOW = 1; // untrusted transport HIGH = 2; // secure tokens over TLS HIGHEST = 3; // MSL or user credentials }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message Integrity { string key_name = 1; bytes hmac = 2; }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Introspector - Wrapper over passport binary data
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Introspector - Wrapper over passport binary data public interface PassportIntrospector { Long getCustomerId(); Long getAccountOwnerId(); String getEsn(); String getPassportAsString(); ... }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Introspector - Wrapper over passport binary data public interface PassportIntrospector { Long getCustomerId(); Long getAccountOwnerId(); String getEsn(); String getPassportAsString(); ... } - Consumers create passportIntrospector from binary passport data factory.createIntrospector(passport);
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Tooling Self-service tool for teams to decrypt passport
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Actions message UserInfo { repeated UserAction actions = 6; ... } message DeviceInfo { repeated DeviceAction actions = 5; ... }
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Actions message UserInfo { repeated UserAction actions = 6; ... } message DeviceInfo { repeated DeviceAction actions = 5; ... } - Explicit signal sent by the downstream services, when an update to user or device identity has been performed
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Actions message UserInfo { repeated UserAction actions = 6; ... } message DeviceInfo { repeated DeviceAction actions = 5; ... } - Explicit signal sent by the downstream services, when an update to user or device identity has been performed - This "signal" is used by EAS to either create or update the corresponding type of token
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action: User Login
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 Passport Action: User Login
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API EDGE ORIGIN Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 /login Passport Action: User Login (Device Bound)
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 /login success Passport Action: User Login (Device Bound)
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 /login success Passport Action: User Login (Device Bound) user loginuser login
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: jsmith@gmail.com Password: ******** ESN: LGTV20165-193456G568 /login successSet-Cookie Passport Action: User Login Cookie Service (Device Bound) user loginuser login
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action: Profile Switch
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action: Profile Switch - Each profile has its own identity
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action: Profile Switch - Each profile has its own identity - Switched profile tokens sent back to the device
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Actions Separation Of Concerns Increased Visibility
- Moved authentication to the edge - Streamlined the identity resolution and mutation path - Making consumption of user & device identity - Efficient, secure & simple What we did User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
WinsUser & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Token Agnostic Identity Downstream systems don't have to worry about authentication concerns
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Simplified Authorization Downstream services use authentication level for authorization decisions
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Simplified Authorization Before: long customerId = 2123125603L; String ESN = "NFXBOX-235F…";
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Extensible Identity Model New attributes about user or device can be added
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Local cache for up to date subscriber data message UserInfo { BytesValue subscriber_account ... } Placeholder for local cache of subscriber data
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned Offloaded token processing which resulted into significant gains for - CPU - Request Latency - GC - Cluster Footprint We were able to fine-tune EAS systems based on the token processing profile
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned Offloaded token processing which resulted into significant gains for - CPU - Request Latency - GC - Cluster Footprint We were able to fine tune EAS systems based on the token processing profile
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned - 30% reduction in CPU cost per request - 40% reduction in load average CPU to RPS ratio for API instance
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned - 30% reduction in average latency - 99th percentile latency dropping by 20% Response time for API instance
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned - Significant reduction in GC pressure and GC pause times Stop the world GC for API cluster
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Increased Visibility Increased visibility into identities flowing in and out of Netflix ecosystem ...and into the identity mutations happening in a request
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Developer Velocity Greatly increased developer velocity for authentication related changes
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Team focused on security Separation of concerns among the teams
User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Key Takeaways - Token agnostic identity model - Simplified authorization - Extensible identity model - Offloaded all the token processing from many systems - Fine tuned individual microservices to suit the token processing profile - Increased visibility into identities flowing and corresponding mutations - Increased developer velocity for authentication & identity related changes - Team focused on security
Thank You. Satyajit Thadeshwar sthadeshwar@netflix.com https://www.linkedin.com/in/satyajit-thadeshwar
Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ netflix-user-identity/
Ad

Recommended

Twilio SMS - API for Sending & Receiving SMS Messages
Twilio SMS - API for Sending & Receiving SMS MessagesTwilio SMS - API for Sending & Receiving SMS Messages
Twilio SMS - API for Sending & Receiving SMS Messages
Twilio Inc
 
Netflix AIM Engineering Manager
Netflix AIM Engineering ManagerNetflix AIM Engineering Manager
Netflix AIM Engineering Manager
Karen Casella
 
access identity management senior software engineers
access identity management senior software engineersaccess identity management senior software engineers
access identity management senior software engineers
Karen Casella
 
AIM Software Engineer Openings
AIM Software Engineer OpeningsAIM Software Engineer Openings
AIM Software Engineer Openings
Karen Casella
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
JacksonMorgan9
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
PolarSeven Pty Ltd
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
Cynthia Thomas
 
Playback & Edge Access Services Senior Software Engineer
Playback & Edge Access Services Senior Software EngineerPlayback & Edge Access Services Senior Software Engineer
Playback & Edge Access Services Senior Software Engineer
Karen Casella
 
AT&T Shape Hackathon Kick-off
AT&T Shape Hackathon Kick-offAT&T Shape Hackathon Kick-off
AT&T Shape Hackathon Kick-off
Ed Donahue
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
 
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREKeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
Álvaro Alonso González
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKit
SysKit Ltd
 
Bw13 session2 app_dev_presenter_final
Bw13 session2 app_dev_presenter_finalBw13 session2 app_dev_presenter_final
Bw13 session2 app_dev_presenter_final
Blair Poloskey
 
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioningEnabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Eurotech
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
Soap toolkits
Soap toolkitsSoap toolkits
Soap toolkits
Aravindharamanan S
 
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Matt Raible
 
How to Choose the Right Technology, Framework or Tool to Build Microservices
How to Choose the Right Technology, Framework or Tool to Build MicroservicesHow to Choose the Right Technology, Framework or Tool to Build Microservices
How to Choose the Right Technology, Framework or Tool to Build Microservices
Kai Wähner
 
How To Send Twitch Notifications Using Courier
How To Send Twitch Notifications Using CourierHow To Send Twitch Notifications Using Courier
How To Send Twitch Notifications Using Courier
Letterdrop
 
Liferay as a headless platform
Liferay as a headless platform Liferay as a headless platform
Liferay as a headless platform
Jorge Ferrer
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?
Hank Preston
 
Client & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit SplunkClient & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit Splunk
Georg Knon
 
Client & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit SplunkClient & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit Splunk
Georg Knon
 
João Emilio Santos Bento da Silva - Estratégia de APIs
João Emilio Santos Bento da Silva - Estratégia de APIsJoão Emilio Santos Bento da Silva - Estratégia de APIs
João Emilio Santos Bento da Silva - Estratégia de APIs
DevCamp Campinas
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
Michael Leppitsch
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
Ken Owens
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
C4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
C4Media
 
Ad

More Related Content

Similar to User & Device Identity for Microservices @ Netflix Scale (20)

AT&T Shape Hackathon Kick-off
AT&T Shape Hackathon Kick-offAT&T Shape Hackathon Kick-off
AT&T Shape Hackathon Kick-off
Ed Donahue
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
 
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREKeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
Álvaro Alonso González
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKit
SysKit Ltd
 
Bw13 session2 app_dev_presenter_final
Bw13 session2 app_dev_presenter_finalBw13 session2 app_dev_presenter_final
Bw13 session2 app_dev_presenter_final
Blair Poloskey
 
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioningEnabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Eurotech
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
Soap toolkits
Soap toolkitsSoap toolkits
Soap toolkits
Aravindharamanan S
 
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Matt Raible
 
How to Choose the Right Technology, Framework or Tool to Build Microservices
How to Choose the Right Technology, Framework or Tool to Build MicroservicesHow to Choose the Right Technology, Framework or Tool to Build Microservices
How to Choose the Right Technology, Framework or Tool to Build Microservices
Kai Wähner
 
How To Send Twitch Notifications Using Courier
How To Send Twitch Notifications Using CourierHow To Send Twitch Notifications Using Courier
How To Send Twitch Notifications Using Courier
Letterdrop
 
Liferay as a headless platform
Liferay as a headless platform Liferay as a headless platform
Liferay as a headless platform
Jorge Ferrer
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?
Hank Preston
 
Client & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit SplunkClient & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit Splunk
Georg Knon
 
Client & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit SplunkClient & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit Splunk
Georg Knon
 
João Emilio Santos Bento da Silva - Estratégia de APIs
João Emilio Santos Bento da Silva - Estratégia de APIsJoão Emilio Santos Bento da Silva - Estratégia de APIs
João Emilio Santos Bento da Silva - Estratégia de APIs
DevCamp Campinas
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
Michael Leppitsch
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
Ken Owens
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays
 
AT&T Shape Hackathon Kick-off
AT&T Shape Hackathon Kick-offAT&T Shape Hackathon Kick-off
AT&T Shape Hackathon Kick-off
Ed Donahue
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
 
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREKeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
Álvaro Alonso González
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKit
SysKit Ltd
 
Bw13 session2 app_dev_presenter_final
Bw13 session2 app_dev_presenter_finalBw13 session2 app_dev_presenter_final
Bw13 session2 app_dev_presenter_final
Blair Poloskey
 
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioningEnabling supply chain flexibility and IoT scale with zero touch provisioning
Enabling supply chain flexibility and IoT scale with zero touch provisioning
Eurotech
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
Soap toolkits
Soap toolkitsSoap toolkits
Soap toolkits
Aravindharamanan S
 
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Microservices for the Masses with Spring Boot, JHipster and OAuth - GIDS 2019
Matt Raible
 
How to Choose the Right Technology, Framework or Tool to Build Microservices
How to Choose the Right Technology, Framework or Tool to Build MicroservicesHow to Choose the Right Technology, Framework or Tool to Build Microservices
How to Choose the Right Technology, Framework or Tool to Build Microservices
Kai Wähner
 
How To Send Twitch Notifications Using Courier
How To Send Twitch Notifications Using CourierHow To Send Twitch Notifications Using Courier
How To Send Twitch Notifications Using Courier
Letterdrop
 
Liferay as a headless platform
Liferay as a headless platform Liferay as a headless platform
Liferay as a headless platform
Jorge Ferrer
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?
Hank Preston
 
Client & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit SplunkClient & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit Splunk
Georg Knon
 
Client & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit SplunkClient & Virtual User Experience Monitoring mit Splunk
Client & Virtual User Experience Monitoring mit Splunk
Georg Knon
 
João Emilio Santos Bento da Silva - Estratégia de APIs
João Emilio Santos Bento da Silva - Estratégia de APIsJoão Emilio Santos Bento da Silva - Estratégia de APIs
João Emilio Santos Bento da Silva - Estratégia de APIs
DevCamp Campinas
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
Michael Leppitsch
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
Ken Owens
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays
 

More from C4Media (20)

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
C4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
C4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
C4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
C4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
C4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
C4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
C4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
C4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
C4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
C4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
C4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
C4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
C4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
C4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
C4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
C4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
C4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
C4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
C4Media
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
C4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
C4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
C4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
C4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
C4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
C4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
C4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
C4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
C4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
C4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
C4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
C4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
C4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
C4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
C4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
C4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
C4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
C4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
C4Media
 
Ad

Recently uploaded (20)

Salesforce AI Associate 2 of 2 Certification.docx
Salesforce AI Associate 2 of 2 Certification.docxSalesforce AI Associate 2 of 2 Certification.docx
Salesforce AI Associate 2 of 2 Certification.docx
José Enrique López Rivera
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Automation Dreamin': Capture User Feedback From Anywhere
Automation Dreamin': Capture User Feedback From AnywhereAutomation Dreamin': Capture User Feedback From Anywhere
Automation Dreamin': Capture User Feedback From Anywhere
Lynda Kane
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
"Rebranding for Growth", Anna Velykoivanenko
"Rebranding for Growth", Anna Velykoivanenko"Rebranding for Growth", Anna Velykoivanenko
"Rebranding for Growth", Anna Velykoivanenko
Fwdays
 
Learn the Basics of Agile Development: Your Step-by-Step Guide
Learn the Basics of Agile Development: Your Step-by-Step GuideLearn the Basics of Agile Development: Your Step-by-Step Guide
Learn the Basics of Agile Development: Your Step-by-Step Guide
Marcel David
 
"PHP and MySQL CRUD Operations for Student Management System"
"PHP and MySQL CRUD Operations for Student Management System""PHP and MySQL CRUD Operations for Student Management System"
"PHP and MySQL CRUD Operations for Student Management System"
Jainul Musani
 
Asthma presentación en inglés abril 2025 pdf
Asthma presentación en inglés abril 2025 pdfAsthma presentación en inglés abril 2025 pdf
Asthma presentación en inglés abril 2025 pdf
VanessaRaudez
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Image processinglab image processing image processing
Image processinglab image processing image processingImage processinglab image processing image processing
Image processinglab image processing image processing
RaghadHany
 
Rock, Paper, Scissors: An Apex Map Learning Journey
Rock, Paper, Scissors: An Apex Map Learning JourneyRock, Paper, Scissors: An Apex Map Learning Journey
Rock, Paper, Scissors: An Apex Map Learning Journey
Lynda Kane
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Salesforce AI Associate 2 of 2 Certification.docx
Salesforce AI Associate 2 of 2 Certification.docxSalesforce AI Associate 2 of 2 Certification.docx
Salesforce AI Associate 2 of 2 Certification.docx
José Enrique López Rivera
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Automation Dreamin': Capture User Feedback From Anywhere
Automation Dreamin': Capture User Feedback From AnywhereAutomation Dreamin': Capture User Feedback From Anywhere
Automation Dreamin': Capture User Feedback From Anywhere
Lynda Kane
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
"Rebranding for Growth", Anna Velykoivanenko
"Rebranding for Growth", Anna Velykoivanenko"Rebranding for Growth", Anna Velykoivanenko
"Rebranding for Growth", Anna Velykoivanenko
Fwdays
 
Learn the Basics of Agile Development: Your Step-by-Step Guide
Learn the Basics of Agile Development: Your Step-by-Step GuideLearn the Basics of Agile Development: Your Step-by-Step Guide
Learn the Basics of Agile Development: Your Step-by-Step Guide
Marcel David
 
"PHP and MySQL CRUD Operations for Student Management System"
"PHP and MySQL CRUD Operations for Student Management System""PHP and MySQL CRUD Operations for Student Management System"
"PHP and MySQL CRUD Operations for Student Management System"
Jainul Musani
 
Asthma presentación en inglés abril 2025 pdf
Asthma presentación en inglés abril 2025 pdfAsthma presentación en inglés abril 2025 pdf
Asthma presentación en inglés abril 2025 pdf
VanessaRaudez
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Image processinglab image processing image processing
Image processinglab image processing image processingImage processinglab image processing image processing
Image processinglab image processing image processing
RaghadHany
 
Rock, Paper, Scissors: An Apex Map Learning Journey
Rock, Paper, Scissors: An Apex Map Learning JourneyRock, Paper, Scissors: An Apex Map Learning Journey
Rock, Paper, Scissors: An Apex Map Learning Journey
Lynda Kane
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Ad

User & Device Identity for Microservices @ Netflix Scale

  • 1. User & Device Identity For Microservices @ Netflix Scale Satyajit Thadeshwar QCon San Francisco 2019
  • 2. InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ netflix-user-identity/
  • 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  • 4. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Logged out? #$%&!
  • 5. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Logged out? #$%&!
  • 6. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Time CoreStreamingMetric Current Last Week
  • 7. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Satyajit Thadeshwar Product Edge Access Systems [email protected]
  • 8. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Complicated
  • 9. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 10. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar 9 teams 57 watchers
  • 11. Netflix subscribers and the devices that they use User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 12. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Where we were What we did Wins
  • 13. Where we were User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 14. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 User Login
  • 15. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API EDGE ORIGIN Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 /login User Login
  • 16. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 /login success User Login
  • 17. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 /login success User Login customerId: 10192378 ESN: LGTV20165-193456G568 Expires: In 8 hours
  • 18. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 /login successSet-Cookie User Login customerId: 10192378 ESN: LGTV20165-193456G568 Expires: In 8 hours
  • 19. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Authenticate Request /browse
  • 20. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API EDGE ORIGIN /browse Authenticate Request /browse
  • 21. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API EDGE ORIGIN /browse Authenticate Request success KEY MANAGEMENT SERVICE /browse
  • 22. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices EDGE ORIGIN /browse Authenticate Request success MID-TIER SERVICES customerId: 10192378 ESN: LGTV20165-193456G568 KEY MANAGEMENT SERVICE /browse
  • 23. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices EDGE ORIGIN /browse Authenticate Request success MID-TIER SERVICES customerId: 10192378 ESN: LGTV20165-193456G568 KEY MANAGEMENT SERVICE /browse
  • 24. More than one service consuming cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 25. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
  • 26. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES/ios /android /atv ...
  • 27. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
  • 28. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
  • 29. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
  • 30. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
  • 31. At massive scale User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 32. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Netflix 158M+ subscribers
  • 33. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Netflix 158M+ subscribers 1B+ devices
  • 34. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Netflix 158M+ subscribers 1B+ devices 2M peak RPS
  • 35. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Authenticate Request / Extract Identity API ORIGIN KEY MANAGEMENT SERVICE = 2 million Requests Per Second
  • 36. More than one token type User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 37. Cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 38. Cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Signup
  • 39. Cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Signup - Login
  • 40. Cookies User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Signup - Login - Discovery
  • 41. MSL Tokens User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Device authentication - Encryption Message Security Layer (MSL) https://www.infoq.com/news/2014/11/netflix-msl/
  • 42. MSL Tokens User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - License - Playback
  • 43. CTicket User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - Legacy devices
  • 44. Partner Tokens User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar - JWS, JWE - Non-member experiences
  • 45. - Signup - Sign-in - Discovery - License - Playback - Legacy devices - Non-member experience Cookies MSL Tokens CTicket Partner Tokens (JWS, JWE) User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 46. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
  • 47. - Multiple services consuming auth tokens - Multiple types of auth tokens - Massive scale - Inefficient, insecure & complicated Where we were User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 48. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service lolomo / Search DRM Other services EDGE ORIGINS MID-TIER SERVICES
  • 49. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback API
  • 50. What we didUser & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 51. Moved authentication to the edge User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 52. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback API
  • 53. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback APICookie Service MSL Service Partner Service EAS
  • 54. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback APICookie Service MSL Service Partner Service EAS EDGE AUTHENTICATION SERVICES
  • 55. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE EAS renewal / device auth / key exchange Cookie Service MSL Service Partner Service valid and not expired 95% 5%
  • 56. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Cookie Service EAS valid but expired renewal call
  • 57. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Cookie Service EAS valid but expired renewal call failed
  • 58. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Cookie Service EAS valid but expired renewal call rescheduled resolved identity
  • 59. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Cookie Service EAS valid but expired renewal call rescheduled rescheduled cookie resolved identity
  • 60. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback APICookie Service MSL Service Partner Service EAS EDGE AUTHENTICATION SERVICES
  • 61. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Device Auth Service Legacy API Netflix Microservices SIGNUP FLOW SERVICE subscriber auth service EDGE ORIGINS MID-TIER SERVICES NodeJS Services Lolomo / Search DRM Other services Discovery API Playback APICookie Service MSL Service Partner Service EAS EDGE AUTHENTICATION SERVICES
  • 62. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport
  • 63. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request
  • 64. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request - Contains user & device identity
  • 65. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem
  • 66. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem - Integrity protected by HMAC
  • 67. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem - Integrity protected by HMAC - Protobuf format
  • 68. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; }
  • 69. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message Header { string originator = 1; }
  • 70. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; }
  • 71. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2; Int64Wrapper customer_id = 3; Int64Wrapper account_owner_id = 4; repeated UserAction actions = ; }
  • 72. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2; StringValue esn = 3; Int32Value device_type = 4; repeated DeviceAction actions = 5; }
  • 73. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2; }
  • 74. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2; } enum Source { COOKIE = 1; MSL = 2; PARTNER_TOKEN = 3; CTICKET = 4; }
  • 75. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2; } enum AuthenticationLevel { LOW = 1; // untrusted transport HIGH = 2; // secure tokens over TLS HIGHEST = 3; // MSL or user credentials }
  • 76. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message Integrity { string key_name = 1; bytes hmac = 2; }
  • 77. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Introspector - Wrapper over passport binary data
  • 78. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Introspector - Wrapper over passport binary data public interface PassportIntrospector { Long getCustomerId(); Long getAccountOwnerId(); String getEsn(); String getPassportAsString(); ... }
  • 79. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Introspector - Wrapper over passport binary data public interface PassportIntrospector { Long getCustomerId(); Long getAccountOwnerId(); String getEsn(); String getPassportAsString(); ... } - Consumers create passportIntrospector from binary passport data factory.createIntrospector(passport);
  • 80. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Tooling Self-service tool for teams to decrypt passport
  • 81. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Actions message UserInfo { repeated UserAction actions = 6; ... } message DeviceInfo { repeated DeviceAction actions = 5; ... }
  • 82. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Actions message UserInfo { repeated UserAction actions = 6; ... } message DeviceInfo { repeated DeviceAction actions = 5; ... } - Explicit signal sent by the downstream services, when an update to user or device identity has been performed
  • 83. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Actions message UserInfo { repeated UserAction actions = 6; ... } message DeviceInfo { repeated DeviceAction actions = 5; ... } - Explicit signal sent by the downstream services, when an update to user or device identity has been performed - This "signal" is used by EAS to either create or update the corresponding type of token
  • 84. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action
  • 85. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action: User Login
  • 86. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul EDGE Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 Passport Action: User Login
  • 87. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API EDGE ORIGIN Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 /login Passport Action: User Login (Device Bound)
  • 88. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 /login success Passport Action: User Login (Device Bound)
  • 89. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 /login success Passport Action: User Login (Device Bound) user loginuser login
  • 90. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Zuul API Netflix Microservices auth service EDGE ORIGIN MID-TIER SERVICES Email: [email protected] Password: ******** ESN: LGTV20165-193456G568 /login successSet-Cookie Passport Action: User Login Cookie Service (Device Bound) user loginuser login
  • 91. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action: Profile Switch
  • 92. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action: Profile Switch - Each profile has its own identity
  • 93. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Action: Profile Switch - Each profile has its own identity - Switched profile tokens sent back to the device
  • 94. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Passport Actions Separation Of Concerns Increased Visibility
  • 95. - Moved authentication to the edge - Streamlined the identity resolution and mutation path - Making consumption of user & device identity - Efficient, secure & simple What we did User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 96. WinsUser & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar
  • 97. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Token Agnostic Identity Downstream systems don't have to worry about authentication concerns
  • 98. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Simplified Authorization Downstream services use authentication level for authorization decisions
  • 99. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Simplified Authorization Before: long customerId = 2123125603L; String ESN = "NFXBOX-235F…";
  • 100. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Extensible Identity Model New attributes about user or device can be added
  • 101. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Local cache for up to date subscriber data message UserInfo { BytesValue subscriber_account ... } Placeholder for local cache of subscriber data
  • 102. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned Offloaded token processing which resulted into significant gains for - CPU - Request Latency - GC - Cluster Footprint We were able to fine-tune EAS systems based on the token processing profile
  • 103. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned Offloaded token processing which resulted into significant gains for - CPU - Request Latency - GC - Cluster Footprint We were able to fine tune EAS systems based on the token processing profile
  • 104. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned - 30% reduction in CPU cost per request - 40% reduction in load average CPU to RPS ratio for API instance
  • 105. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned - 30% reduction in average latency - 99th percentile latency dropping by 20% Response time for API instance
  • 106. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Offloaded & Fine Tuned - Significant reduction in GC pressure and GC pause times Stop the world GC for API cluster
  • 107. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Increased Visibility Increased visibility into identities flowing in and out of Netflix ecosystem ...and into the identity mutations happening in a request
  • 108. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Developer Velocity Greatly increased developer velocity for authentication related changes
  • 109. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Team focused on security Separation of concerns among the teams
  • 110. User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Key Takeaways - Token agnostic identity model - Simplified authorization - Extensible identity model - Offloaded all the token processing from many systems - Fine tuned individual microservices to suit the token processing profile - Increased visibility into identities flowing and corresponding mutations - Increased developer velocity for authentication & identity related changes - Team focused on security
  • 112. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ netflix-user-identity/