Login Page, The Tip of the Iceberg 🧊

Published in

Just Eat Takeaway-tech

5 min readJul 25, 2022

The login page may represent a small part of the ordering process, but really it’s just the tip of the iceberg. Underneath the login page, the Identity and Protection team have built infrastructure to ensure our customers can fulfill their food moments in a safe and secure way. Let’s take a deeper look.

With its two input boxes, most customers and software engineers dismiss the login page as the smallest part of most systems. In some ways they are right, but without a working login page and associated authentication processes it becomes very difficult for our customers to order their food.

Identity

As we go below the surface of the login page, the first thing we come to is identity. The username and password combination proves who the customer is, the username is the way we find the customer’s identity and the password is their secret to prove they can access that identity. Identity is a key part of authentication, every service that collaborates in the completion of the food order needs to know who they are completing the order for.

We have created an infrastructure to ensure a customer never needs to think about their identity, the Identity and Protection team have done it for them. We are the custodians of the customer’s identity, ensuring it is used securely, limited to only necessary information but available to every collaborating system enabling them to build their own projections around it.

OpenID Connect

Diving deeper still, we get to the glue which brings it all together, authentication. Authentication is a combination of a customer proving who they are and granting permission for services to work on their behalf. It is also each service which is granted permission to work on behalf of the user, gaining its own authentication to prove it can collaborate in the order process.

To achieve interaction between customer and service we use the OpenID Connect protocol. OpenID Connect is an industry standard HTTP based protocol, which provides the mechanisms for customers to delegate permission to the services to act on their behalf and for services to gain authentication to accept the delegated permission.

To support the interaction between customers and services we need a special service, one which contains web pages and REST API endpoints. This service is called the central authority and is the focal point of the OpenID Connect protocol, providing endpoints for services and the login pages for customers. While it may seem that our login page completely exists inside our consumer site it is really backed by our central authority, a service separate from the consumer site and used throughout our infrastructure.

All services that collaborate in the order process use the central authority to manage the lifecycle of their authentication, which makes this service one of the busiest in the Identity and Protection team and also in the company. Our central authority serves between 5 and 6 million requests each day for just our UK market, as a global company we have multiple markets around the globe, each one requiring multiple millions of requests to be served from their central authority.

Protection

Going deeper still, Just Eat Takeaway is one of the largest providers of food delivery services in the world. Our size makes us a target for bad actors, some of which can be malicious hackers. The reality of any company that has a public internet presence is that there are individuals or groups that are constantly looking for weak areas in your security, the larger the company the bigger the proportion of attention you receive.

We leverage many technologies and techniques to protect our systems and customers identity. Managing the constant probing from bad actors for weak areas in our security is part of everyday life for us. We are constantly monitoring how our services are used and working on new technologies and enhancements to ensure that each attack is greeted by the same wall of security and countermeasures to repel it.

Evolution

Icebergs are susceptible to change, and it is the same for technology in the Identity and Protection team. As a team that manages millions of identities and serves many millions of requests each day we are always looking for ways to improve. One of the biggest changes we are investing in is multi-factor authentication, although this has been around for a long time we are starting to see more applications using this. The prevalence of multi-factor authentication helps to educate our customer base and allows us to bring this into our authentication flow, without it becoming a reason customers cannot place their orders easily.

With the daily expansion of our customer base we are also increasing the investment in faster and easier ways to store, serve and manage our millions of identities. Working for a global company means that the Identity and Protection team gets to do this on a global scale, something most software engineering teams don’t get the chance to do. Working at a coordinated global scale is an interesting challenge and has given us the opportunities to not only improve our services and ability to serve identities but also have data placed in data centres around the globe.

These two initiatives are only the tip of our large investment iceberg!

Summary

Next time you see our login page, hopefully you will have a better understanding that there is a lot going on under the surface, from identity management to authentication flows. The Identity and Protection team works in collaboration with many teams so we can play our part in helping to ensure that our customers can place their orders in the quickest and safest way possible.

Just Eat Takeaway.com is hiring globally! Want to come work with us? Apply today