The document details an overview of Atlassian's managed authentication and isolation model using AWS Lambda, highlighting security enhancements and user experience improvements. It outlines key components such as data management, runtime isolation, and the infrastructure for app development, while ensuring compliance with standards like GDPR. The document also discusses practical implementation scenarios and the benefits of reduced latency and predictable behavior for users.

1. PATRICK STREULE | ARCHITECT | ATLASSIAN | @PSTREULE
Forge: Under the Hood

2. Recap:
Why
Managed
Auth
Isolation
Model
AWS
Lambda
Agenda
Looking
Ahead

3. TODAY: CONNECT
Atlassian Infrastructure App Infrastructure
☁ Internet
App

4. TODAY: CONNECT
Atlassian Infrastructure App Infrastructure
HTTP/Routes
JWTAuth
BusinessLogic
☁ Internet
Data
Data storage
policiesEgress rules
Variable latency

5. PAAS
Atlassian Infrastructure App Infrastructure
HTTP/Routes
JWTAuth
BusinessLogic
Data
Data storage
policies
Egress rules
Predictable latency

6. PAAS
Atlassian Infrastructure App Infrastructure
HTTP/Routes
JWTAuth
BusinessLogic
Data

7. FAAS / SERVERLESS
Atlassian Infrastructure App Infrastructure
InvocationService
BusinessLogic
Data

8. Business Logic
Runtime
Other
The secret
sauce
InvocationService

9. Recap:
Why
Managed
Auth
Isolation
Model
AWS
Lambda
Agenda
Looking
Ahead

10. MANAGED AUTH
const watchersResponse = await api
.asUser()
.requestJira(`/rest/api/3/issue/${issue.key}/watchers`);
const watchersResponse = await api
.asApp()
.requestJira(`/rest/api/3/issue/${issue.key}/watchers`);

11. Better security
Long-lived secrets are kept within Atlassian
infrastructure, unaccessible from the outside
Manageable for end users
Users can see and revoke all their grants on the
Atlassian Account profile page.
Easier to use
No need to deal with OAuth2 flows or secure
credential and token storage.
Managed
Auth Goals

12. Better security
Long-lived secrets are kept within Atlassian
infrastructure, unaccessible from the outside
Manageable for end users
Users can see and revoke all their grants on the
Atlassian Account profile page.
Easier to use
No need to deal with OAuth2 flows or secure
credential and token storage.
Managed
Auth Goals

13. Better security
Long-lived secrets are kept within Atlassian
infrastructure, unaccessible from the outside
Manageable for end users
Users can see and revoke all their grants on the
Atlassian Account profile page.
Easier to use
No need to deal with OAuth2 flows or secure
credential and token storage.
Managed
Auth Goals

14. UNDER THE HOOD
const rest = await api
.asUser()
.requestJira(`/rest…`);
Runtime
InvocationService
{
"issue": {
"key": "ATL-2019"
},
"context": {
"cloudId": "1a5dab50-7544-…f310",
"accountId": "12345:3b341d…c546"
}
}
Managed
Auth
{
"tokens": [
{
"accountId": "12345:3b341d…c546",
"token": "<secret>",
"service": "api.atlassian.com"
}
]
}
fetch
GET https://api.atlassian.com
/ex/jira/{cloudId}/rest/api/3/..
Authorization: Bearer {token}

15. PROMPT CONSENT FLOW
const rest = await api
.asUser()
.requestJira(`/rest…`);
Runtime
InvocationService
fetch
Auth Error
<ThreeLOPrompt
authUrl={authInfo.url}
message="..."
promptText="Authorize"
/>
AUTHORIZE
Authorization UI

16. CONSENT FLOW (OAUTH2)
Frontend/PopupWindow
Managed
Auth
Start
Authorize URL
Authorization Token
Authorization Token
Consent Screen
auth.atlassian.com
Accept
Login
Authorization Token
Refresh & Access Token

17. AFTER CONSENT FLOW
const rest = await api
.asUser()
.requestJira(`/rest…`);
Runtime
InvocationService
{
"issue": {
"key": "ATL-2019"
},
"context": {
"cloudId": "1a5dab50-7544-…f310",
"accountId": "12345:3b341d…c546"
}
}
Managed
Auth
{
"tokens": [
{
"accountId": "12345:3b341d…c546",
"token": "<access token>",
"service": "api.atlassian.com"
}
]
}
fetch
GET https://api.atlassian.com
/ex/jira/{cloudId}/rest/api/3/..
Authorization: Bearer {token}

18. const rest = await api
.asUser()
.requestJira(`/rest…`);
Runtime

19. Recap:
Why
Managed
Auth
Isolation
Model
AWS
Lambda
Agenda
Looking
Ahead

20. WITHOUT REQUEST ISOLATION
Time
{
"issue": {
"summary":"Unveil X"
}
}
"Unveil X"
let content = '';
export function demo(event) {
if (!content) { content = event.issue.summary; }
return content;
}
{
"issue": {
“summary":"Bug in Y"
}
}
"Unveil X"
{
"issue": {
"summary":"As a dev"
}
}
"Unveil X"
🤭😬😳

21. CODE BREAKOUTS
const rest = await api
.asRequestUser()
.fetch(`/rest/api/…`);

22. RUNNING THIRD-PARTY CODE SECURELY

23. REUSING BROWSER TECHNOLOGY
NodeJS: V8
const rest = await api
.asUser()
.requestJira(`/rest…`);
Fetch implementation
Isolates
The technology behind
iframes in Chrome
No shared resources
Marshalling of data across
isolate boundaries

24. LIKE CONNECT’S AC-JS
AP.request('/rest/api/…', {
success: (resp) => {
}
});
AP host implementation
iframe
“postMessage”
Bridge
Browser

25. APPLICATION-LEVEL ISOLATION
const doc = await api
.fetch(`https://docs.google.com/document/...`);
const mail = await api
.fetch(`https://mail.google.com/...`);
Fetch
manifest.yml
https://docs.google.com/**
Egress config
URL patterns of hosts
that may be contacted

26. APPLICATION-LEVEL ISOLATION
import * as fs from 'fs';
const users = fs.readFileSync('/etc/passwd');
FileSystem
it api
://docs.google.com/document/...`);
ait api
://mail.google.com/...`);
manifest.yml
https://docs.google.com/**

27. REQUEST ISOLATION: SNAPSHOTS
Isolate from Code V8
Memory
Snapshot
01
11001
01011
Isolate from
Snapshot
01
11001
01011
X00 ms X ms

28. WITH REQUEST ISOLATION
Time
{
"issue": {
"summary":"Unveil X"
}
}
"Unveil X"
let content = '';
export function demo(event) {
if (!content) { content = event.issue.summary; }
return content;
}
{
"issue": {
“summary":"Bug in Y"
}
}
"Bug in Y"
{
"issue": {
"summary":"As a dev"
}
}
"As a dev"

29. DOWNSIDE: NONSTANDARD ENVIRONMENT
Forge
API
JavaScript
Core
NodeJS
API
Browser
API
api.*
Your
Code

30. Approximate
NodeJS API to
support npm
packages.
Approximate
ServiceWorker
API
CDN: CLOUDFLARE, FLY FORGE

31. Recap:
Why
Managed
Auth
Isolation
Model
AWS
Lambda
Agenda
Looking
Ahead

32. Isolation
again :)

33. AWS LAMBDA: ISOLATION CONT’D
Your Code
Forge Runtime
Sandbox
Guest OS
Hypervisor
Host OS
Hardware
Isolates
cgroups, namespaces, seccomp
Firecracker virtualization
EC2 Bare Metal

34. AWS LAMBDA: MULTIPLE ACCOUNTS
ManagedAuth…
Forge AWS Accounts
ServiceAWSAccounts
Deploy
Deploy
Invoke
Deployment
Service
Invocation
Service
api.atlassian.com Public API Calls
AWS API Calls (assumeRole)

35. Latency

36. AWS LAMBDA: COLD START LATENCY
5-10s 0s
Worker
Local
NAT
ENI
Worker
Local
NAT
ENI
Worker
Remote
NAT
ENI
Worker

37. LATENCY: SINGLE APP DEPLOYMENTS
modules:
function:
- key: main
handler: index.run
- key: other
handler: other.run

38. LATENCY: LAMBDA PER APP
mainother
Invoke
Invoke
vs.
Invoke“main”

39. Recap:
Why
Managed
Auth
Isolation
Model
AWS
Lambda
Agenda
Looking
Ahead

41. Your
App
Your customer
250ms

42. US Realm
EU Realm
Your
App
Your
customer

43. We have devoted significant resources
towards ensuring our cloud products are
built and designed in accordance with
widely accepted standards and
certifications.
https://www.atlassian.com/trust/privacy/gdpr

44. Data storage for apps today
Define Data
Model
Taking multi-tenancy
into account
Implement API
For data retrieval and
modification
Handle
Operations
Backups, Migration,
Capacity planning,
DB upgrades, …
Trust &
Compliance
GDPR, SOC2,
Data Residency,
Encryption@rest

45. Isn’t this solved by Entity
Properties?
Yes, but …

46. ENTITY PROPERTIES ACROSS PRODUCTS
Issue
Project
User
Board
Workflow
Page
Comment
Blog
Space
User
Repository
PR
User
Team
Build

47. D D
D
GENERALIZED MODEL
ORGANIZATION
SITE USER
UGC: Data Retention, Residency and Encryption PD/PII: GDPR
D
D
CONTAINER
OBJECT

48. Data deletion
Data is deleted with when its parent chain is
deleted.
Data encryption
Data is encrypted with the same key as its
parent.
Data movement
Moving to another realm, container or
organization, whenever its parent moves.
Data follows
its parent

49. Data deletion
Data is deleted with when its parent chain is
deleted.
Data encryption
Data is encrypted with the same key as its
parent.
Data movement
Moving to another realm, container or
organization, whenever its parent moves.
Data follows
its parent

50. Data deletion
Data is deleted with when its parent chain is
deleted.
Data encryption
Data is encrypted with the same key as its
parent.
Data movement
Moving to another realm, container or
organization, whenever its parent moves.
Data follows
its parent

51. How could a possible Forge
implementation look like?
HYPOTHETICALLY!

52. DEFINE MODEL
modules:
function:
- key: main
handler: index.run
objectTypes:
- key: Laptop
properties:
model:
type: string
required: true
description: The laptop model
status:
type: enum
enum:
- deployed
- unassigned
- ordered
serialNumber:
type: string
required: true
indexed: true
relations:
assignedTo:
type: User

53. API
const mutation = gql`mutation create($input: CreateLaptopInput!)
createLaptop(input: $input) {
id
}
}`;
const result = await api.objects.request(mutation, {
input: {
model: 'Macbook Pro 2017',
serialNumber: '000-111-222-333',
status: "deployed",
assignedTo: {
connect: "12345:3b341d11-2ac4-4afe-b429-622b035ac546"
}
}
});

54. API
const mutation = gql`mutation create($input: CreateLaptopInput!)
createLaptop(input: $input) {
id
}
}`;
const result = await api.objects.request(mutation, {
input: {
model: 'Macbook Pro 2017',
serialNumber: '000-111-222-333',
status: "deployed",
assignedTo: {
connect: "12345:3b341d11-2ac4-4afe-b429-622b035ac546"
}
}
});D
USER

55. API
query byUser {
user(id: "12345:e5c90516-1fb2-11e9-9fb7-df60171038c6") {
laptop {
nodes {
id
serialNumber,
model
warranty
}
}
}
}
query expiredWarranty {
laptops(where:{warranty:{eq:false}}) {
nodes {
model
serialNumber
warranty
assignedTo {
id
name
}
}
}

56. TO SUMMARIZE
Atlassian Infrastructure
InvocationService
BusinessLogic
Data
Data storage
policies
Egress rules
Predictable latency
Convenience APIs
FAAS
RUNTIME
RUNTIME / ISOLATES

57. Thank you!
PATRICK STREULE | ARCHITECT | ATLASSIAN | @PSTREULE