Central Authentication System

How Jumia unified authentication of over 120 websites

Central Authentication System

How Jumia unified authentication of over 120 websites

1. Motivation2. Challenges3. Solution4. Results

1. Motivation

“One account, all of Jumia”

Why creating Jumia CAS ?“One ring to rule them all”

➔ Promoting Jumia digital services under a single brand exp.➔ Reducing account creation friction ➔ Eliminating basic profile repetition across services➔ Providing meaningful opportunities to our customers and

merchants across the group

1. Motivation2. Challenges3. Solution4. Results

2. Challenges

“If life gives you lemons, make lemonade”

Non-functional requirements“Round up the usual suspects!”

➔ Security (privacy, disaster recovery)➔ Performance (server time impact should be minimal)➔ Availability (99.999% uptime minimum)➔ Scalability (supporting the whole jumia ecosystem)➔ Simple design (well… simple is smart)➔ Low maintenance (setup, monitor and forget)➔ Cost effective (kill waste, don’t dedicate a team)➔ [...]

...easier said than done

1. Motivation2. Challenges3. Solution4. Results

Functional requirements“7 red lines, of which 2 with green ink, all perpendicular.”

➔ Customer/merchant PoV◆ Single login credentials across all Jumia services◆ Not having to repeat basic profile details across services◆ Seamless transition

➔ Second-party developers PoV◆ Low integration effort◆ Graceful degradation◆ User impersonation (Super User)◆ Social networks compatibility

1. Motivation2. Challenges3. Solution4. Results

Other challenges“[...] and draw some of the red lines with invisible ink”

➔ 9 different platforms◆ ≠ architectures◆ ≠ password hashing algorithms◆ ≠ basic customer profile requirements

➔ Existing user base◆ Some overlap between services => merge accounts◆ Customers using different passwords on different systems

➔ Vendor specific limitations/functionalities➔ Syncing logic and race conditions

1. Motivation2. Challenges3. Solution4. Results

3. Solution

“Three engineers walk into a bar. An Infosec, a Devops and a DBA...” *

*There’s also a CTO and an HoDev involved but it screws up the punch line.

Architecture choice“You take the blue pill the story ends [...] You take the red pill you stay in wonderland”

➔ We had two options◆ Stay in our comfort zone: bare metal, EC2, containers◆ Try something new in production: Serverless architecture

➔ Red pill SWOT analysis:

1. Motivation2. Challenges3. Solution4. Results

Strengths. Low maintenance overhead. No waste of resources. Most non functional reqs are delegated to some extent. Simplicity

Weaknesses . No prior experience on serverless. Fairly new paradigm, low community support

Opportunities. Learning/implementing something new and exciting. close to plug&play with other services for extended functionality

Threats. Vendor lock-in. Eventual price structure changes

High level architecture“A bird’s view”

1. Motivation2. Challenges3. Solution4. Results

Main security features“None shall pass.”*

➔ API◆ Only SSL/TLS connections are allowed◆ Each Jumia service/country instance has its own API key◆ API Gateway doesn’t support whitelisting but has built-in

security features such as● standard and burst rate limiting per API method● DDoS protection

◆ As an extra layer of protection each request implements JSON Web Tokens

➔ Data at rest◆ No client profile details are stored in plain text, it's all

encrypted in AES256◆ Email, phone and password are hashed◆ The only data stored that is not transformed is the UUID

1. Motivation2. Challenges3. Solution4. Results

Other features“What’s in the box?”

➔ Multi region replication◆ All dynamoDB data is replicated to another AWS region◆ Encrypted data still readable (more on that later)◆ Allowing hot backups and fast disaster recovery (within

minutes)◆ Designed to eventually allow master-master replication,

thus load-balanced read/write for enhanced scalability, availability and “automatic” disaster recovery

➔ Graceful degradation◆ If CAS is down or unreachable, local systems will queue

changes and sync them later.◆ For logins, worst case scenario, a password reset is issued

and new password queued

1. Motivation2. Challenges3. Solution4. Results

Multiregion availability + encryption“The force is strong with this one”

1. Motivation2. Challenges3. Solution4. Results

4. Results

“Show me the money”

Performance so far“So far so good”

➔ In production since April 21st 2016➔ No downtime➔ Zero maintenance interventions ➔ Adding improvements and correcting minor bugs is fast and simple➔ Impact on server side performance

◆ On cold start, CAS added 150ms to the previous server time◆ As the system warms up and more ventures are added, server

time converges towards the original values◆ On peaks, the systems scales well since times are further

reduced

1. Motivation2. Challenges3. Solution4. Results

1. Motivation2. Challenges3. Solution4. Results5. Next steps

1. Motivation2. Challenges3. Solution4. Results5. Next steps

1. Motivation2. Challenges3. Solution4. Results5. Next steps

1. Motivation2. Challenges3. Solution4. Results5. Next steps

As of 19-09-2016

How much does it costs?Dev.+Stag.+Prod.

1. Motivation2. Challenges3. Solution4. Results

Thanks to“And the Oscar goes to...”

Jumia CAS Team

Daniel L. - Infrastructure, Security

Tiago S. - Data layer, infrastructure and merging logic

João F. - API design, integration logic

Marcelo A. - API and lambda logic

Sergey D. - lambda logic

1. Motivation2. Challenges3. Solution4. Results