Presentation: User & Device Identity for Microservices @ Netflix Scale

Track: Microservices Patterns & Practices

Location: Ballroom A

Duration: 11:50am - 12:40pm

Day of week:

Slides: Download Slides

This presentation is now available to view on InfoQ.com

Watch video with transcript

What You’ll Learn

  1. Hear about Netflix’ re-architecture effort to move authentication to the Edge.
  2. Learn some of the lessons to be drawn from this process, both from architectural diagrams and code.

Abstract

Millions of members across the world access Netflix on their devices to stream movies and tv shows. Once these users login to the Netflix app, their identity and the identity of their device needs to be securely propagated to hundreds of microservices within the Netflix ecosystem. This combined identity is leveraged across the entire stack of microservices to make appropriate authorization and business decisions.  At Netflix scale, this means hundreds of millions of devices, for every request to Netflix services, send this identity in the form of one of the multiple types of authentication tokens that we support. This presented the challenge that each microservice had to know about the various types of tokens (say, Cookies vs JWT). Also, the extraction of the identity information from these tokens was inefficient at scale and error prone, causing hard-to-debug issues related to identity. Building a solution to enable a token agnostic identity model at the edge, that was both secure and efficient was a key aspect of this architecture.

This talk will provide useful insights on how we implemented a secure, token-agnostic, identity solution that works with services operating at a massive scale. Come learn how this solution helped hundreds of middle-tier services to not worry about the types of tokens and authentication concerns, and consume the user and device identity with high confidence.

Question: 

Please tell us a little bit about you.

Answer: 

I'm on the product Product Edge Access Systems team at Netflix . It is part of the Product Edge Systems org , and we typically work with the edge layer that is directly facing the Netflix devices.  Our team builds and operates services that are related to authentication and authentication tokens. I have been with Netflix for more than eight years, and I'm currently involved in a few projects. To give you an example, one of the projects is related to my talk. We have these multiple authentication tokens and we have taken up this project to terminate those tokens at the Edge and building services that support the life cycle for those tokens and everything related to that. I am at the last leg for that termination work which deals with legacy old devices, which are still used by Netflix customer and we have to continue to support those. Another project that I am involved in is related to building a system for Netflix devices to get the device context data at runtime.

Question: 

Are you going to talk about terminating these different tokens at the Edge?

Answer: 

Yes. That's what I'm gonna talk about. I'll go into the details of what that is and what services were created to manage the lifecycle of these tokens and why it was necessary to do that. There are these standard tokens which are used across the industry. There are these JWT tokens that are cookies in your browser on your devices as well. We also have something called MSL, Message Security Layer. It's a secure protocol that is homegrown within Netflix, which does provide encryption and device authentication and is used for playback and license requests as a more secure transport. Netflix has a business requirement to authenticate the clients/devices as well  apart from users. That's where this protocol comes in and helps with device authentication. We work with partners to integrate this protocol into their property. We have MSL tokens coming in. We have JWT, we have some non member use cases wherein we integrate with them, and you just start the TV you can browse through titles even without opening or starting the Netflix app. We are calling it as a non-member partner. We have tokens related to that, and then we have the standard cookies. It was a mix of four or five tokens, and we are terminating those tokens at the Edge. In a sentence, it's about moving authentication to the Edge, so that all the services below Edge don't have to worry about it. Back in the days, there were many services which were dealing with these authentication concerns. Figuring out whether this identity came from say, cookies, or from MSL, which was needed for some authorization decisions,  was getting really hairy and error prone, and this architecture is proving to help. In my talk, I'll be showing both - a bunch of architecture diagrams and some code snippets.

Question: 

Who is this for? Senior developer? Architect?

Answer: 

It is for both. I can also see technical engineering managers benefiting from it. Because what I'll be showing would be the implementation details as well a pattern which if people have these specific needs and they are not using the standard off the shelf token management then they can apply this pattern or this learning from my talk.

Question: 

What do you want them to leave your talk with?

Answer: 

There are many companies which have this microservices architecture. I think they will benefit from what we have done and what we have learned from this re-architecture. Because when you usually read the literature about microservices, authentication is not the first chapter. I think people would benefit from learning what we have done as part of this re-architecture.

Question: 

Can you give me an example of one of the principles that you'll talk about?

Answer: 

When we were back in the days, when these tokens were being passed to services, many layers down from Edge, they were all doing processing of these tokens, they were at least parsing them. These tokens are all encrypted. You need some special key privileges to decrypt them. There was this redundant processing which was in place. This was inefficient as well as a security risk. By streamlining authentication and identity into a single rich structure which downstream services could use easily and trust, made it a better, efficient and secure design. Before this re-architecture, if there was an issue or an outage related to identity, then to triage it, we used to involve people from so many teams. Now it's just isolated to our team. One team having to focus on authentication and its concerns helps a lot because other teams just want to use identity, they don't care about getting it.

Speaker: Satyajit Thadeshwar

Senior Software Engineer in Product Edge Access Services Team @Netflix

Satyajit Thadeshwar is an engineer on the Product Edge Access Services team at Netflix, where he works on some of the most critical services focusing on user and device authentication. He has more than a decade of experience building fault-tolerant and highly scalable, distributed systems.

Find Satyajit Thadeshwar at

Similar Talks

Evolution of Edge @Netflix

Qcon

Engineering Leader @Netflix

Vasily Vlasov

Mistakes and Discoveries While Cultivating Ownership

Qcon

Engineering Manager @Netflix in Cloud Infrastructure

Aaron Blohowiak

Monitoring and Tracing @Netflix Streaming Data Infrastructure

Qcon

Architect & Engineer in Real Time Data Infrastructure Team @Netflix

Allen Wang

Future of Data Engineering

Qcon

Distinguished Engineer @WePay

Chris Riccomini

Coding without Complexity

Qcon

CEO/Cofounder @darklang

Ellen Chisa

Holistic EdTech & Diversity

Qcon

Holistic Tech Coach @unlockacademy

Antoine Patton