Strongest possible agree. https://twitter.com/ELagergren/status/945717130099437568 …
We're using stateless auth in a system with tight SLAs and hundreds of millions of users. Fetching the state from some database would break the latency budget.
-
-
I’m not so much doubting you as observing that it’s likely that bigger places than yours have scaled serverside stateful auth (given latency budget).
-
We're one of the biggest AWS customers, the list of bigger places than us is very short. I maintain that managing latency is a reasonable tradeoff for stateless authentication. We're working on making most of the services stateless, well beyond just authentication aspects.
-
I think I’d just say “stateless auth is not a good place to start at”.
-
You might be right about that. It might be a place you end at, though, and there might be reasons. Heck, we're running a dozen different services, each run by a different team. Loose coupling between AAA and the service is a good enough reason in itself.
-
Inter-service stateless auth makes a lot of sense to me! It’s the value of pushing that design out to the client where I start to dislike it.
-
… it helps that inter-service stateless auth is also _much easier_ than clientside stateless auth.
-
And I'm *so glad* I only have to audit auth flow for one team (including password recovery and all the pitfalls), instead of all of them!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.