Our road to Single Sign-On, DocPlanner

OUR ROAD TO SINGLE SIGN-ON
Maciej Szkamruk (@ex3v)
• backend dev@activation team
• joined DP ~1.5 years ago
• huge fan of cooking, cheap memes 
and code that really helps people
Tomasz Wojcik (@prgTW)
• backend dev@CRM team
• been with DP since dinosaurs
• worships Grumpy Cat, morning coffee 
and code reviews in the middle of the night
WHO ARE WE?

We are
We help people find doctors online
WHO ARE WE?

A BIT OF HISTORY

HOW IT ALL STARTED | HISTORY
• branched off from GoldenLine
• founded to share opinions about doctors
• ads were the only source of income
• about 5 people onboard

CALENDAR - MVP THAT GOT SERIOUS | HISTORY
• first step: mockups only
• visitors were curious about it… therefore MVP
• first deals with doctors
• 2k visits booked during 1st quarter

~4 years ago
BEFORE VS. NOW | HISTORY
2k visits booked during 1st quarter

~4 years ago
2k visits booked every few hours!
today
BEFORE VS. NOW | HISTORY
2k visits booked during 1st quarter

Poland
FIRST MARKET | HISTORY

Poland
Colombia
Spain
HungaryPeru Argentina
Brazil
Czech Republic
Germany
Sweden
Ukraine
Austria
Bulgaria
France
India
Italy
Portugal
South Africa
CURRENT MARKETS | HISTORY
Chile
Turkey
Mexico
Russia
Slovakia

• over 100GB of production data
• 17M requests and 100GB of logs every day
• ~2.7M SLOC & 10k new SLOCs every week
• about 30 folks in IT & Product
LET’S TALK NUMBERS | HISTORY

LET’S TALK MONEY | HISTORY
• every startup needs money to grow
• few financing rounds, $34M raised
• $20M raised in last (series C) round

LET’S TALK MONEY | HISTORY

+
DOCTORALIA MERGE | HISTORY

+
• relational
• PHP
• monolith
• mostly non-relational
• C#
• splitted into few apps
DOCTORALIA MERGE | HISTORY

OK, BUT WHERE’S SSO IN IT?

FROM MONOLITH TO MICROSERVICES | SSO
The Ugly
Monolith

• DocPlanner is getting slower
• ~2.7M lines of code
• we want coherence between 
DocPlanner and Doctoralia

CRM OpinionsAdmin tools
Search ProfileModeration
Calendar IntegrationsAPI
Questions & Answers Mobile

Authorization
CRM
Questions & Answers
OpinionsAdmin tools
Mobile

Authorization
Authentication
CRM
Questions & Answers
OpinionsAdmin tools
Mobile

Authorization
Authentication (Form, FB, VK, LDAP, GApps)
CRM
Questions & Answers
OpinionsAdmin tools
Mobile

Authentication
Is it really me?
Authorization
Am I allowed (authorized) to do that?
AUTHENTICATION VS. AUTHORIZATION | SSO

Calendar
Integrations
Authorization
Authentication
Q & A
Authorization
Authentication
Search
Profile
Authorization
Authentication
CRM
Authorization
Authentication
Opinions
Moderation
Authorization
Authentication
Admin tools
Authorization
Authentication

Calendar
Integrations
Authorization
LDAP
Q & A
Authorization
Form, FB, VK
Search
Profile
Authorization
Form, FB, VK
CRM
Authorization
LDAP, GApps
Opinions
Moderation
Authorization
Form, FB, VK
Admin tools
Authorization
LDAP, GApps

Search
Profile
Authorization
CRM
Authorization
Calendar
Integrations
Authorization
Opinions
Moderation
Authorization
Q & A
Authorization
Admin tools
Authorization
Authentication
Form, FB, VK
LDAP
GApps

A single place of login into multiple applications
(that are compatible with this Single Sign-On)
WHAT IS A SINGLE SIGN-ON | SSO

SRP
Single Responsibility Principle

SRP
Single
Responsibility
Principle
1. SSO is the only place  
that authenticates clients  
and users
2. Other apps and microservices  
shouldn’t care about 
authentication

⧖
Multiple login
methods
SSO Auth
Domain apps
or microservices

MUCH
LOGIN
METHODS
WOW

HOW TO ACHIEVE THE GOAL
(CHALLENGE WEEK)

• product folks wants sth to be done
• we (devs) want sth to be done
• tech requirements
• tech debt
REASONS FOR NEW FEATURES | CHALLENGE WEEK

THE CONCEPT | CHALLENGE WEEK
• find something you want to do
• find a companion
• one week for planning
• one week for coding
• summary day
SSO
Me & Tomek
checked
MVP

IMPLEMENTATION
(FORDEC PROCEDURE)

FACTS | FORDEC PROCEDURE
• serious plans for building microservices
• authentication layer needs to be decoupled from monolith
• authentication must work in SPA’s
• authentication must work in API’s
• ability to login via 3rd parties (Facebook, LDAP, GApps etc.)
• keeping user data in-house is preferred
• 1-week time limit

OPTIONS | FORDEC PROCEDURE
• share session
• buy SaaS
• install SaaS in-house
• build custom microservice

RISKS & BENEFITS | FORDEC PROCEDURE
PROPRIETARY SOLUTIONSAAS / INSTALLED SAAS
• certain amount of job already done
• learning curve
• possible limitations
• latency
• possible cost-inefficiency
• end-of-life problems (f.ex. xpect.io)
• known technologies
• full control over data
• build from scratch
• security benefits
• maintenance time

DECIDE | FORDEC PROCEDURE
We decided to build our own solution after all
(there’s always a way to switch to SaaS if needed)

MICROSERVICE SSO 3RD PARTYCLIENT
EXECUTE | FORDEC PROCEDURE

LOGIN FLOW | EXECUTE | FORDEC PROCEDURE
1
requests auth
7
returns user information
6
validates SSO token
2
requests OAuth token
3
returns OAuth token
5
requests resource w/ token
8
returns resource
4
SSO token / redirect

“REMEMBER ME” FLOW | EXECUTE | FORDEC PROCEDURE
4
requests resource w/ token
3
SSO token / redirect
automatically logs user in
2
7
returns user information
6
validates SSO token
8
returns resource
1
requests auth

LOGOUT FLOW | EXECUTE | FORDEC PROCEDURE
4
requests resource w/o token
3
204 no content / redirect
revokes access token(s)
2
6
returns no user information
5
validates SSO token
1
requests logout
7
403 unauthorised

We could use JWT
JWT | EXECUTE | FORDEC PROCEDURE

header
{
"alg": "HS256",
"typ": "JWT"
}
payload
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
verify
signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
ENCODEDDECODED
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV
CJ9.eyJzdWIiOiIxMjM0NTY3ODkwIi
wibmFtZSI6IkpvaG4gRG9lIiwiYWRta
W4iOnRydWV9.TJVA95OrM7E2cBab3
0RMHrHDcEfxjoYZgeFONFh7HgQ
JWT STRUCTURE | EXECUTE | FORDEC PROCEDURE

CONSPROS
• no additional requests
• SPA friendly
• easy interchangeable w/ access token
• reuses “Authorization: Bearer [token]” header
• unaware of changes
• valid forever
• cannot be invalidated
JWT PROS & CONS | EXECUTE | FORDEC PROCEDURE

EXAMPLE STACK | EXECUTE | FORDEC PROCEDURE
• Symfony 3
• FOSOAuthServer - for integrating microservices with SSO
• HWIOAuthBundle - for integrating SSO with 3rd parties
• NelmioCorsBundle - for allowing SPA’s to communicate with SSO

HOW TO DEPLOY IT?

DEPLOYMENT STRATEGY | EXECUTE | FORDEC PROCEDURE

in-house tests
few smaller markets
big market
everywhere
DEPLOYMENT STRATEGY | EXECUTE | FORDEC PROCEDURE
feedback
feedback
feedback
adjustments
adjustments
adjustments

GATEKEEPER | EXECUTE | FORDEC PROCEDURE
GateKeeper

• manages every state of a feature
• disabled
• enabled in-house
• enabled everywhere
• separated by locale
• state switch takes seconds
• syncs with app caches

GATEKEEPER - HOW TO USE IT? | EXECUTE | FORDEC PROCEDURE

• Available on GitHub (ZnanyLekarz/GateKeeper)
• lightweight and cached
• integrated w/ Symfony

BENEFITS

USER EXPERIENCE | BENEFITS
• entry point for Doctoralia
• consistent flow
• process transparency
• single-click login is a time saver
• login to every microservice via 3rd parties
• users and employees happier

SECURITY | BENEFITS
• only 1 place where users are prompted for their passwords
• microservices are unaware of users’ credentials
• a place to manage users’ accounts and login sessions
• ability to logout from many services at once
• easy user/application banning

DEVELOPER EXPERIENCE | BENEFITS
• fun and satisfaction :)
• separated codebase
• easy to connect new microservices

REMEMBER
Sometimes a week is all it takes!

THANK YOU!
docplanner.com/career
Join us!

Our road to Single Sign-On, DocPlanner

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Our road to Single Sign-On, DocPlanner

Similar to Our road to Single Sign-On, DocPlanner (20)

Recently uploaded

Recently uploaded (20)

Our road to Single Sign-On, DocPlanner