Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[DevDojo] Mercari・Merpay Auth Platform Onboardi...

[DevDojo] Mercari・Merpay Auth Platform Onboarding - 2024

The Merpay payment platform implements authentication and authorization measures to ensure secure external communication. This session explains the role and usage of access tokens and introduces the basics of the Mercari Group's authentication infrastructure.

mercari

May 28, 2024
Tweet

More Decks by mercari

Other Decks in Technology

Transcript

  1. • Name ◦ Takashi MIMA a.k.a @task ◦ Slack: @task(mima)

    • Team ◦ IDP(IDentity Platform) ◦ in charge of Authentication/Authorization in Mercari Introduction 2
  2. Goals • To understand roles of main access tokens issued

    in Mercari • To understand reasons why main access tokens are needed • To understand ways to issue/use main access tokens Non-Goals • To understand fundamental specification such as OAuth 2.0 and OpenID Connect • To understand specific implementations for them Goals / Non-Goals of this onboarding 3
  3. Overview of Mercari architecture Mercari k8s clusters 5 XXX Microservice

    Gateway Microservice YYY Microservice ZZZ Microservice mercari- authority Client External Access Token External Access Token Internal Access Token Internal Access Token Internal Access Token Internal Access Token Internal Access Token
  4. Gateway-Authority layer(External Access Token) • identify a user • grant

    privileges for clients ◦ for security/privacy reasons • access control Microservices layer(Internal Access Token) • propagate attached privileges properly ◦ for a lot of microservices • access control IDP’s Requirements(Responsibilities) 6
  5. Authentication vs Authorization Authentication Authorization Main purpose determine whether users

    are who they claim to be determine which resources and features users can / cannot access Provided methods in Mercari SNS(Apple, Facebook, Google, Docomo, LINE), Email+Password, SMS, FIDO Access Tokens, Refresh Tokens How we manage by Proof of Authentication(PoA) / OPSession PlatformAccessToken(PFAT), PrivateAccessToken(PAT), etc… 9
  6. Authentication vs Authorization Authentication Authorization Main purpose determine whether users

    are who they claim to be determine which resources and features users can / cannot access Provided methods in Mercari SNS(Apple, Facebook, Google, Docomo, LINE), Email+Password, SMS, FIDO Access Tokens, Refresh Tokens How we manage by Proof of Authentication(PoA) / OPSession PlatformAccessToken(PFAT), PrivateAccessToken(PAT), etc… 10
  7. Provided methods for Authentication • SNS ◦ Apple, Google, LINE,

    Facebook, (Docomo) • email + password • SMS • FIDO(Passkeys) • (passcode) 11
  8. • JWT to prove that a user has been authenticated

    ◦ authenticating microservices can verify whether PoA is tampered with the signature • PoA use cases ◦ issue sessions ◦ issue PFAT ◦ etc… Proof of Authentication(PoA) 14
  9. • HTTP Session stored in Cookie • issued by calling

    /opsession endpoint with PoA OpenID Provider Session(OPSession) 15
  10. Authentication vs Authorization Authentication Authorization Main purpose determine whether users

    are who they claim to be determine which resources and features users can / cannot access Provided methods in Mercari SNS(Apple, Facebook, Google, Docomo, LINE), Email+Password, SMS, FIDO Access Tokens, Refresh Tokens How we manage by Proof of Authentication(PoA) / OPSession PlatformAccessToken(PFAT), PrivateAccessToken(PAT), etc… 14
  11. • Framework to realize limited access to an HTTP service

    ◦ defined by RFC 6749 OAuth 2.0: Authorization Framework 15
  12. Access Token • String to access protected resources ◦ It

    indicates permissions to access resources on behalf of an end user ◦ represents specific scopes and short durations of access ▪ can be used for access controls Refresh Token • String to issue Access Token ◦ it doesn’t require users re-authentication Access Token / Refresh Token 16
  13. Major Access Tokens in Mercari Platform Access Token(PFAT) Private Access

    Token(PAT) Role ・access to Gateway-Authority ・access to microservices Way to issue ・follow OAuth 2.0 Authorization Grants ・call /authorize + /token ・Gateway-Authority issues PAT by authenticating external tokens Format ・Opaque ・JWT ・JWT 17
  14. Overview of Mercari architecture Mercari k8s clusters 18 XXX Microservice

    Gateway Microservice YYY Microservice ZZZ Microservice mercari- authority Client External Access Token External Access Token Internal Access Token Internal Access Token Internal Access Token Internal Access Token Internal Access Token
  15. Overview of Mercari architecture Mercari k8s clusters 19 XXX Microservice

    Gateway Microservice YYY Microservice ZZZ Microservice mercari- authority Client PFAT PFAT PAT PAT PAT PAT PAT
  16. • Two types of OIDC clients along an industry standard

    ◦ defined in RFC 6749 OIDC clients: confidential vs public Confidential Public Clients are able to keep their credentials safe O X Use cases Web Application User-Agent Based Application / Native Application Examples Mercari Web Application / OIDC clients used in microservices Mercari Native Applications (iOS / Android) 25
  17. Roles of access tokens issued in Mercari • PFAT: Access

    tokens to access to API via Gateway • PAT: Access tokens to access to API of microservices Reasons why access tokens are needed • Grant privileges, Propagate privileges, Access control Way to issue / use access tokens • PFAT: Use OIDC clients issued by IDP team ◦ Public clients, Confidential clients • PAT: issue by mercari-authority Wrap Up: Goals of this onboarding 23