Leaving the State: Sessionless (Stateless) Authentication in D8

1. Leaving the State: Sessionless (Stateless) Authentication in D8 DrupalCon Nashville 2018

2. These Guys Dr J Daverth Technical Lead, Whole Foods Market D.O.: dr-jay BitBucket: drjdaverth LinkedIn: drjdaverth Adam Weingarten Senior Technical Architect, Acquia D.O.: adam.weingarten GitHub: aweingarten LinkedIn: adam.weingarten

3. Brought to you by

4. What are we going to talk about? ●Why scaling authenticated traffic is hard? ●What is sessionless auth? ●How can you use it to manage a single login to multiple sites ●Working with an external auth provider (Janrain) ●PIIaaS! Storing PII as a Service in an API. ●Proxying web-service calls - don’t do it! ●How to delegate oauth token

5. Case Study – International Retail Brand • Launched July 2012 on Drupal 7 • Designed for a much more static world • Full page refreshes • Not service based

6. Deep dive in the issues on D7

7. D8 High-level Goals • Technical Drivers Support 10% Authenticated Traffic SSO between D7 and D8 Personalized Digital Experience Mobile / Responsive Experience

8. Back to the Basics Scaling Anonymous Traffic Is Easy • Can let CDN do the lifting: Fastly, Akamai, CloudFlare. • Varnish in front of your webs • Hit your origin. Store the information at Varnish and CDN. • Caching solves all the problems.

9. What is a Session? The sequence of interactions between client and server, or between user and system; the period during which a user is logged in or connected. -- Thus spoke Wikipedia

10. What is a PHP Session? • $_SESSION super global • Start with session_start() early in your PHP script. • Drupal wraps it and stores data across requests in the DB • Uses a cookie value to ID you

11. What does it Look Like?

12. Why are Sessions a PAIN? HTTP/1.1 200 OK Age: 0 Cache-Control: must-revalidate, no-cache, private Via: 1.1 varnish-v4 Connection: keep-alive X-Cache: MISS, MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S1508437362.252176,VS0,VE296

13. Under Pressure

14. Opposition of Forces New experience requires personalization Our infrastructure sucks at personalized data

15. Oh, did you forget? We also need to support seamless login to D7 and D8

16. Solutions not problems After we have crushed your soul let’s build you back up.

17. Traditional Auth Get session Data Yeah they’re cool MySql with Session tables Authenticates IDP Drupal 8 Return session data Return personalized data

18. Stateless (Sessionless) Auth

19. From Drupal’s POV

20. What is in the Magic Encrypted Token? • Anything that might live in a PHP Session or User table • API UserIDs • Session Expiration time

21. How does this let me do D7 and D8? • Assuming that the 2 sites are on the same domain or subdomain • Both sites can read the cookie • Shared decryption key both can read it. • I login on D8 -> I go to a page being hosted at D7

22. I used to log peopleout by truncating the session table. Now what??

23. We can show youhow to prevent world domination by zombies

25. PIIaaS Storing Personally Identifiable Information (PII) as a Service (API)

26. PII as a Service • All personalized content on IOS, Android and Web via API • Drupal is a consumer of the API like anyone else • No DB calls, no PII unnecessarily stored in Drupal • Clear separation of concerns.

27. Lesson Learned Proxying webservice calls is bad.

28. Yeah, this is why it’s reallybad • Latency. • Each web-server has a finite number of concurrent PHP procs • When you make a webservice call you tie up those procs waiting for a response. • Limits transactions per-second.

29. How do we fix it?

30. Browser can access the API layer directly, without an intermediary

31. How scalable?

32. Very Scalable

33. Ended up with: • Scalable System • Separation of concerns: Each part of our stack can focus on doing 1 thing well.

34. Questions?

35. Thank you!