Edge Authentication and Token-Agnostic Identity Propagation

Netflix Technology Blog
16 min readintermediate
--
View Original

Overview

The article discusses Netflix's approach to simplifying edge authentication and identity propagation using a token-agnostic identity model. It highlights the challenges faced with multiple protocols and tokens, and how the introduction of Edge Authentication Services (EAS) has streamlined the authentication process for over 200 million users.

What You'll Learn

1

How to implement Edge Authentication Services for user and device identity management

2

Why a token-agnostic identity model improves security and reduces complexity

3

How to utilize Passports for consistent identity propagation across services

Prerequisites & Requirements

  • Understanding of authentication protocols and identity management concepts
  • Familiarity with distributed systems and microservices architecture(optional)

Key Questions Answered

How does Netflix handle user authentication at scale?
Netflix manages user authentication by moving the process to the edge of the network, utilizing Edge Authentication Services (EAS) to handle token management and identity propagation. This approach simplifies the authentication flow for over 200 million users and improves security by centralizing token processing.
What is the Passport structure and its benefits?
The Passport is a token-agnostic identity structure used by Netflix to propagate user and device identity information. It is integrity protected and allows for consistent identity management across services, reducing complexity and improving security.
What performance improvements were observed after implementing Edge Authentication?
After implementing Edge Authentication Services, Netflix observed a 30% reduction in CPU cost per request and a 30% reduction in average latency for API calls. This optimization significantly improved the overall performance of their authentication system.
What challenges did Netflix face with multiple authentication tokens?
Netflix struggled with the complexity of managing various authentication tokens and protocols across thousands of device types. This led to inefficiencies and potential security risks, prompting the need for a unified identity model.

Key Statistics & Figures

Reduction in CPU cost per request
30%
This improvement was achieved by offloading token processing to Edge Authentication Services.
Reduction in average API latency
30%
This was noted after the implementation of Edge Authentication Services, enhancing user experience.
Requests handled per second
2.5 million
This volume includes a significant percentage requiring authentication.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Backend
Zuul
Used as the cloud gateway for token inspection and payload encryption/decryption.
Protocol
Msl
A security protocol that was previously used for token management before transitioning to the Edge.
Data Serialization
Protocol Buffers
Used to define the Passport structure for identity data.

Key Actionable Insights

1
Implementing Edge Authentication Services can centralize token management, reducing the burden on individual services.
By moving authentication to the edge, services can focus on their core functionality without needing to handle complex security protocols, leading to improved developer efficiency.
2
Utilizing a token-agnostic identity model like Passport can enhance security and simplify identity propagation.
This model allows for consistent handling of identity data across services, making it easier to manage user and device identities securely.
3
Monitoring the performance metrics post-implementation is crucial to ensure the effectiveness of the new authentication system.
Regularly reviewing CPU usage and response times can help identify areas for further optimization and ensure the system scales effectively with user demand.

Common Pitfalls

1
Failing to centralize token management can lead to inconsistent identity data across services.
Without a unified approach, different services may handle tokens differently, leading to potential security vulnerabilities and increased complexity.
2
Overlooking the need for integrity protection in identity structures can expose the system to attacks.
If identity data is not adequately protected, it can be manipulated, leading to unauthorized access and security breaches.

Related Concepts

Identity Management In Distributed Systems
Token-based Authentication Mechanisms
Microservices Architecture And Security