How Shopify implemented its secure authentication service (opens in new tab)

(engineering.shopify.com)

174 pointsfrankpf6y ago51 comments

51 comments

So is Shopify the biggest fish still on the Ruby stack? Nice article detailing how they did an upgrade to openId connect to allow SSO on multiple shops within a client company.

Nextgrid6y ago

Remember that the hyped-up companies you hear about on HN & other social media aren't the entire world. There are plenty of companies out there that stay quiet and outside of the spotlight and use the language just fine. The same applies for PHP and other languages that are considered (unfairly IMO) "old-school".

eropple6y ago

PHP is rarely considered "old school." It's considered bad. And not without reason given its history of hostility to its own developers and the sysadmins who have to manage it.

I think pretty much everyone has acknowledged that it's improved. Where opinions differ is in how much it has improved and whether that's enough to entertain its use (my answers to which are "not enough" and "not even if you paid me", respectively).

3 more replies

shiv866y ago

I avoided php and its ecosystem like a plague for the longest time. However the who eco-system has evolved including the language e.g. functional paradigm (closures) and syntactic improvement (arrow functions). When you combine this with a modern web framework like php Laravel it is an absolute pleasure to work with, specifically as a monolithic for rapid application development, which is great for MVPs and ensuring you have product market fit. I am not sure how this translates over time to a micros-services. However if you're starting to writing a new application I would definitely recommend php + laravel for rapid application development. I say this relative to my extensive experience with nodejs express/java spring boot.

noodle6y ago

IIRC there are still many large companies using Ruby/Rails still, they've just also diversified their tech stacks (as larger companies tend to do). AFAIK the list includes: GitHub (MS has a few Rails-based acquisitions now), Airbnb, Groupon, Square, Cookpad, Kickstarter, Hulu, etc..

keithwhor6y ago

Pretty sure Stripe is a Ruby shop as well.

4 more replies

itake6y ago

Insiders at Airbnb told me they are (almost) completely off Rails now. They moved their website to the jvm.

2 more replies

ksec6y ago

I believe AirBnB and Groupon are off Rails ( And Ruby ).

So the big one for Rails are Shopify, Github, Cookpad, Gitlab. For Ruby ( Not Rails ) That would be Stripe.

stickfigure6y ago

Funny you mention this. I just today had to implement a painful workaround for Shopify's insanely short timeout on product image uploads. On submitting an image url, you apparently get 4s to complete the whole transfer.

I found hundreds of people complaining about this in the community forums, going back years. If you're dynamically generating images, or on a congested network, 4s is far too short.

Since this is a simple config property, the only justification I can imagine is that they are trying to restrict the amount of time that their (single-threaded, memory-hungry) instances are occupied. Because of Ruby's poor resource management, a core part of their API is barely usable.

I'm pretty disappointed.

uyuioi6y ago

I do a lot of developing with Shopify and it’s a mess. One of the worst development experiences of all time. Because they’re so monolithic focused. The API’s you can use are pretty sluggish and poorly documented.

Rails is just not meant for heavy transactional load. And e-commerce needs async to handle what can be a huge load.

Taobao is java or php and they handle load far greater without fault.

Shopify is much better than Magento though.

1 more reply

uyuioi6y ago

They’re still using a rails setup for their core services. But, this core falls over with him RPM. It’s failed in nearly all flash sales it has had to handle.

Rails is great. But commerce is heavy and I don’t believe Shopify can keep its existing core code base around much longer without a significant change to aid with performance.

Thaxll6y ago

They're moving slow parts to Go.

uyuioi6y ago

Hopefully crystal Lang will make its way into these ruby heavy shops. They’ll get 100x performance without needing to really think in a whole different programming experience.

2 more replies

pm906y ago

It’s not mentioned but I’m assuming that they built their own OIDC/OAuth backend and not use existing ones (eg okta, Auth0 etc).

It would be interesting to know the details of how they’re doing authorization. It appears that it’s all or nothing but I might be mistaken.

YawningAngel6y ago

Running an OAuth2 server isn't tremendously involved. There are good open-source projects like https://github.com/ory/hydra that are pretty easy to configure.

inferiorhuman6y ago

Oh god, at megacorp we implemented our own OAuth2 stack. Much sadness ensued.

1 more reply

meagar6y ago

Hey, I worked on this project for ~2 years, though I'm no longer with Shopify.

We started with Doorkeeper and gradually switched to building our own OAuth2/OIDC implementation over time, partially using glued together lower-level libraries like https://github.com/nov/openid_connect

Edit: I forgot, I even have a few small commits to that last project from my time at Shopify: https://github.com/nov/openid_connect/commits?author=meagar

riffraff6y ago

So, did you have issues with doorkeeper that forced you to switch? Or was it just not fit for the problem you were trying to solve?

I've used it a bit in the past and it worked fine, but I didn't really push it.

delidumrul6y ago

Well design of one-to-one relationship between users and shops. Then, they solve the problem that approach has brought. Nothing particular at the article.

j / k navigate · click thread line to collapse

51 comments

ivankolev6y ago

So is Shopify the biggest fish still on the Ruby stack? Nice article detailing how they did an upgrade to openId connect to allow SSO on multiple shops within a client company.

Nextgrid6y ago

eropple6y ago

PHP is rarely considered "old school." It's considered bad. And not without reason given its history of hostility to its own developers and the sysadmins who have to manage it.

3 more replies

shiv866y ago

noodle6y ago

keithwhor6y ago

Pretty sure Stripe is a Ruby shop as well.

4 more replies

itake6y ago

Insiders at Airbnb told me they are (almost) completely off Rails now. They moved their website to the jvm.

2 more replies

ksec6y ago

I believe AirBnB and Groupon are off Rails ( And Ruby ).

So the big one for Rails are Shopify, Github, Cookpad, Gitlab. For Ruby ( Not Rails ) That would be Stripe.

stickfigure6y ago

I found hundreds of people complaining about this in the community forums, going back years. If you're dynamically generating images, or on a congested network, 4s is far too short.

I'm pretty disappointed.

uyuioi6y ago

Rails is just not meant for heavy transactional load. And e-commerce needs async to handle what can be a huge load.

Taobao is java or php and they handle load far greater without fault.

Shopify is much better than Magento though.

1 more reply

uyuioi6y ago

They’re still using a rails setup for their core services. But, this core falls over with him RPM. It’s failed in nearly all flash sales it has had to handle.

Rails is great. But commerce is heavy and I don’t believe Shopify can keep its existing core code base around much longer without a significant change to aid with performance.

Thaxll6y ago

They're moving slow parts to Go.

uyuioi6y ago

Hopefully crystal Lang will make its way into these ruby heavy shops. They’ll get 100x performance without needing to really think in a whole different programming experience.

2 more replies

pm906y ago

It’s not mentioned but I’m assuming that they built their own OIDC/OAuth backend and not use existing ones (eg okta, Auth0 etc).

It would be interesting to know the details of how they’re doing authorization. It appears that it’s all or nothing but I might be mistaken.

YawningAngel6y ago

Running an OAuth2 server isn't tremendously involved. There are good open-source projects like https://github.com/ory/hydra that are pretty easy to configure.

inferiorhuman6y ago

Oh god, at megacorp we implemented our own OAuth2 stack. Much sadness ensued.

1 more reply

meagar6y ago

Hey, I worked on this project for ~2 years, though I'm no longer with Shopify.

Edit: I forgot, I even have a few small commits to that last project from my time at Shopify: https://github.com/nov/openid_connect/commits?author=meagar

riffraff6y ago

So, did you have issues with doorkeeper that forced you to switch? Or was it just not fit for the problem you were trying to solve?

I've used it a bit in the past and it worked fine, but I didn't really push it.

delidumrul6y ago

Well design of one-to-one relationship between users and shops. Then, they solve the problem that approach has brought. Nothing particular at the article.

j / k navigate · click thread line to collapse