Presentation: User & Device Identity for Microservices @ Netflix Scale

I'm on the product Product Edge Access Systems team at Netflix . It is part of the Product Edge Systems org , and we typically work with the edge layer that is directly facing the Netflix devices.  Our team builds and operates services that are related to authentication and authentication tokens. I have been with Netflix for more than eight years, and I'm currently involved in a few projects. To give you an example, one of the projects is related to my talk. We have these multiple authentication tokens and we have taken up this project to terminate those tokens at the Edge and building services that support the life cycle for those tokens and everything related to that. I am at the last leg for that termination work which deals with legacy old devices, which are still used by Netflix customer and we have to continue to support those. Another project that I am involved in is related to building a system for Netflix devices to get the device context data at runtime.

Yes. That's what I'm gonna talk about. I'll go into the details of what that is and what services were created to manage the lifecycle of these tokens and why it was necessary to do that. There are these standard tokens which are used across the industry. There are these JWT tokens that are cookies in your browser on your devices as well. We also have something called MSL, Message Security Layer. It's a secure protocol that is homegrown within Netflix, which does provide encryption and device authentication and is used for playback and license requests as a more secure transport. Netflix has a business requirement to authenticate the clients/devices as well  apart from users. That's where this protocol comes in and helps with device authentication. We work with partners to integrate this protocol into their property. We have MSL tokens coming in. We have JWT, we have some non member use cases wherein we integrate with them, and you just start the TV you can browse through titles even without opening or starting the Netflix app. We are calling it as a non-member partner. We have tokens related to that, and then we have the standard cookies. It was a mix of four or five tokens, and we are terminating those tokens at the Edge. In a sentence, it's about moving authentication to the Edge, so that all the services below Edge don't have to worry about it. Back in the days, there were many services which were dealing with these authentication concerns. Figuring out whether this identity came from say, cookies, or from MSL, which was needed for some authorization decisions,  was getting really hairy and error prone, and this architecture is proving to help. In my talk, I'll be showing both - a bunch of architecture diagrams and some code snippets.

It is for both. I can also see technical engineering managers benefiting from it. Because what I'll be showing would be the implementation details as well a pattern which if people have these specific needs and they are not using the standard off the shelf token management then they can apply this pattern or this learning from my talk.

There are many companies which have this microservices architecture. I think they will benefit from what we have done and what we have learned from this re-architecture. Because when you usually read the literature about microservices, authentication is not the first chapter. I think people would benefit from learning what we have done as part of this re-architecture.

When we were back in the days, when these tokens were being passed to services, many layers down from Edge, they were all doing processing of these tokens, they were at least parsing them. These tokens are all encrypted. You need some special key privileges to decrypt them. There was this redundant processing which was in place. This was inefficient as well as a security risk. By streamlining authentication and identity into a single rich structure which downstream services could use easily and trust, made it a better, efficient and secure design. Before this re-architecture, if there was an issue or an outage related to identity, then to triage it, we used to involve people from so many teams. Now it's just isolated to our team. One team having to focus on authentication and its concerns helps a lot because other teams just want to use identity, they don't care about getting it.