Authentication
The perfect web app authentication would be close to the end-user, it would be isolated from the rest of the system, it would be implemented and maintained by security professionals, and easy to integrate. Fastly's powerful features allow you to do just that.
Fastly features
Moving authentication to the edge improves performance, and can simplify your application architecture.
We have many features to help securely authenticate users at the edge – from a variety of VCL functions, to the endless possibilities of Compute, where you can use dynamic backends to integrate with your favourite identity provider, and SubtleCrypto to generate and verify digital signatures.
Ideas and typical use cases
Here are some common ways our customers use Fastly for authentication:
- Cookie management: Set, delete, and manipulate cookies at the edge.
- Token management: Issue and decode tokens at the edge, like JSON Web Tokens (JWT).
- Authentication flows: Implement complex end-to-end authentication flows at the edge, including OAuth 2.0.
- User management: Manage users at the edge, including user registration, login, and logout.
- User data: Store user data at the edge, including user profiles, preferences, and session data.
- Passwordless login: Improve the user experience, and reduce the risk of a data breach.
Solutions
The following demos, tutorials, starter kits, and code examples are relevant to this use case. Try them out!
Demos
Sites running on Fastly you can browse. See the principles working for an end user.
| CAPTCHA at the edge | Present the user with a CAPTCHA challenge to verify that they are not a bot, generated, served and verified at the edge. |
| Check for compromised passwords | Perform low-latency checks for leaked passwords, using a highly compressed copy of the HaveIBeenPwned dataset, stored at the edge. |
| Passwordless authentication | Log in to sites and services without having to enter a password – a proof-of-concept Passkeys + WebAuthn implementation for Compute. |
| Private Access Tokens | Implementation of a Private Access Token issuer on Fastly Compute. |
Tutorials
Step by step instructions. Build and learn.
| Decoding JSON Web Tokens (VCL) | The popular JSON Web Token format is a useful way to maintain authentication state and synchronize it between client and server. You are using JWTs as part of your authentication process and you want to decode and validate the tokens at the edge, so that content can be cached efficiently for all authentication states. |
| Decoding JWT (Compute) | The popular JSON Web Token format is a useful way to maintain authentication state and synchronize it between client and server. You are using JWTs as part of your authentication process and you want to decode and validate the tokens at the edge, so that content can be cached efficiently for all authentication states. |
Starter kits
Template Compute applications you can use to bootstrap your project.
| Authenticate at edge with OAuth | Connect to an identity provider such as Auth0 using OAuth 2.0 and validate authentication status at the Edge, to authorize access to your edge or origin hosted applications. |
| OAuth 2.0 implementation for JavaScript | Connect to an identity provider such as Google using OAuth 2.0 and validate authentication status at the Edge, to authorize access to your edge or origin hosted applications. |
Code examples
Snippets of code ready to copy and paste.
| Apply CAPTCHA to high risk requests | Intercept suspicious traffic and display a CAPTCHA challenge. If the user passes, allow the request to go to the origin server. |
| Authenticate JSON Web Tokens at the edge | Decode the popular JWT format to verify user session tokens before forwarding trusted authentication data to your origin. |
| CenturyLink-compatible token validation | Validate your CenturyLink tokens for access to video stream playlists. |
| Detect leaked passwords | Detect requests that contain submitted passwords and use a service to determine whether the password has leaked before allowing the request to proceed to origin (data from haveibeenpwned). |
| Enforce a paywall using an origin API | Use a custom Paywall header to trigger preflight requests to authenticate every article view with a backend paywall service. |
| Send HTTP Basic Auth in request to origin | Convert a password sent by the client in the querystring into a Authorization header to your origin server. |
