Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to the ID Platform - Mercari India DEV Meetup #01 Backend

mercari
PRO
September 12, 2022
Programming
0
630

Introduction to the ID Platform - Mercari India DEV Meetup #01 Backend

This is a team introduction of Merpay ID Platform.
Merpay, Inc. was established in November 2017 as a fully-owned subsidiary of Mercari, Inc., with the goal of starting a new business related to finance. Merpay’s mission is to build trust for a seamless society. Using the technological know how, vast user base, and foundation of data from the marketplace app Mercari, the company’s goal is not only to provide Merpay as a method of payment, but to create a new form of trust that could be used to provide various other financial services in the future.

This slide was presented at the first Mercari India DEV Meetup on the 20th August to introduce the Backend teams of Mercari group. The recording can be viewed from the link below.
https://youtu.be/w_khQWGhzic

- Speaker LinkedIn
https://www.linkedin.com/in/guha-arghya/
https://www.linkedin.com/in/utkarsh-saxena-42497a119/

Please follow us on our LinkedIn account for the latest information!
https://www.linkedin.com/company/mercari-india/

#Engineering #MercariIndia #Backend

mercari
PRO

September 12, 2022
Tweet

More Decks by mercari

See All by mercari
[DevDojo] Introduction to Machine Learning
mercari
PRO
0
56
[DevDojo] Design System for Mobile
mercari
PRO
0
36
[DevDojo] Introduction to Mobile Development
mercari
PRO
0
26
[DevDojo] 成功するスクラムチームとは
mercari
PRO
0
70
[DevDojo] Successful Scrum Team at Mercari
mercari
PRO
0
24
[DevDojo] Introduction to Design Doc
mercari
PRO
0
41
[DevDojo] Introduction to Authentication Platform
mercari
PRO
0
26
[DevDojo] メルペイの品質保証ポリシー
mercari
PRO
0
39
[DevDojo] Quality Assurance Policy
mercari
PRO
0
19

Other Decks in Programming

See All in Programming
Attributes in PHP 8
beberlei
1
340
Ruby JIT Hacking Guide / RubyKaigi 2023
k0kubun
0
3.3k
Micro Frontends for Java Developers - Devoxx UK 2023
mraible
PRO
1
200
Multiverse Ruby
shioyama
1
2.3k
RBS meets LLMs - Type inference using LLM
kokuyouwind
0
200
OpenAI APIを使ったGlideでのWebアプリづくり
nanya3737
0
180
PO,SMに送るテスト自動化の8原則に5箇条を添えて / scrumniigata2023
pineapplecandy
2
670
The Resurrection of 
the Fast Parallel Test Runner
koic
1
1.6k
OAuth for Java Developers - Codemotion Madrid 2023
mraible
PRO
0
300
GitHub Copilotを使って ちょっと楽にUnitTestを書けるようになった
totokit4
2
1.4k
Kotlin 2.0을 통해 알아보는 코틀린의 미래
dalinaum
1
1.4k
「無ければ作る」Backlogに欲しい機能を自分で作った話
nsuz
0
110

Featured

See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
25
44k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Building an army of robots
kneath
300
41k
GraphQLとの向き合い方2022年版
quramy
23
11k
Pencils Down: Stop Designing & Start Developing
hursman
114
10k
Done Done
chrislema
178
15k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
Designing the Hi-DPI Web
ddemaree
273
33k
Optimising Largest Contentful Paint
csswizardry
2
770
Intergalactic Javascript Robots from Outer Space
tanoku
262
26k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
How GitHub (no longer) Works
holman
299
140k

Transcript

  1. 1
    Introduction to the ID Platform
    @utkarsh @guha
    Software Engineer(IDP)

    View Slide

  2. 2
    @guha
    ● From Kolkata India.
    ● Joined IDP on January 1 this year.
    ● 9+ years as a SWE.
    ● Worked mainly in E-Commerce, Geo Data
    and now IDP.
    Software Engineer(IDP)

    View Slide

  3. 3
    Purpose of IDP
    Introduce appropriate authentication, access control,
    and data protection to Mercari Group services in a
    standard format.

    View Slide

  4. 4
    Appropriate and standard
    Meaning of "appropriate"
    ● Authentication: Sufficiently strong authentication
    ● Access Control: Principle of Least Privilege
    ● Data Protection: data mimization/unlinkability
    Reason for "standard"
    ● Authentication and authorization is a basic function used
    in any service. Versatility.
    ● Authentication and authorization is an important function
    directly linked to security incidents. Safety.

    View Slide

  5. 5
    Why do we need an
    ID Platform

    View Slide

  6. 6
    @utkarsh
    ● From Jaipur India.
    ● Graduated from IIT Roorkee, 2018.
    ● Joined Mercari in October 2018.
    ● Joined IDP in August 2019.
    ● 4 years of experience at Mercari, Japan.
    ● Worked mainly on ID platform (backend).
    Software Engineer(IDP)

    View Slide

  7. 7
    Mercari in 2017
    A few Client applications
    Mercari, Merchari etc
    Not many backend components

    View Slide

  8. 8
    Mercari in 2017
    A few Client applications
    Mercari, Merchari etc
    Not many backend components
    ② Verify MAT
    Client add the MAT on the
    Request to Mercari API.
    Mercari API checks if the
    MAT is valid or not. There
    is no fine-grained AuthZ.
    ① Issue MAT
    The MAT is issued on
    Mercari API. The MAT will
    be bound with user by
    AuthN(Password, SMS ...)
    on Login process.

    View Slide

  9. 9
    Mercari in 2017
    Not many backend components
    A few Client applications
    Mercari, Merchari etc
    Change 1
    Migration to the
    Microservice Architecture
    Change 2
    Necessity of Variety clients

    View Slide

  10. 10
    AuthN/AuthZ in Microservices architecture
    ● Mercari introduced Microservices architecture to meet the business
    speed.
    ● How to handle the AuthN/AuthZ on the Microservices
    architecture?
    ○ Where should the authentication and authorization be done?
    ○ How to share the information between each microservices?

    View Slide

  11. 11
    ● Mercari’s APIs are not only for Mercari App. Other Type of Clients and
    Other party Clients want to to use the APIs.
    ● How to handle the variety of other type and party clients?
    ○ How to issue and deliver the token securely for many type of client?
    ○ How to control the Authorization finer grained.
    AuthN/AuthZ for other type/party clients

    View Slide

  12. 12
    Old Mercari situation
    ● Summary
    ○ Token issuing and verification Process is executed on Mercari API.
    ○ The token is called Mercari Access Token(MAT).
    ○ MAT don’t have the ability to control authorization.

    View Slide

  13. 13
    Recent Mercari situation (2019 - 2022)
    Go to Microservices !
    Move business logic from Mercari API to Microservices

    View Slide

  14. 14
    What is the problem in this situation
    2. How to share the
    information
    between each
    microservices?
    1. Where should we
    do authentication?
    How to handle the AuthN/AuthZ on the Microservices architecture?

    View Slide

  15. 15
    How to solve the problem
    ② PAT
    Private Access
    Token(PAT) is used
    for sharing
    Authentication
    Information
    ③ Authority
    Verify MAT and
    Issue PAT
    ① Gateway
    MAT is
    checked on
    Gateway
    layer.

    View Slide

  16. 16
    Process to Access API
    ② Verify MAT and Issue PAT
    Gateway/Authority will request to
    Mercari API to checks if the MAT
    is valid or not. If it is valid, PAT
    will be issued.
    ③ Communication between microservices
    Each microservices check if the PAT is valid.
    Propagate the PAT to access other
    microservices
    ① Issue MAT
    The process is same with
    old Mercari situation.

    View Slide

  17. 17
    Access Control
    ② Microservices
    Each microservices should check if the requests
    are allowed by the claims of PAT, like subject. In
    addition to checking whether the PAT is valid or
    not.
    ① Gateway/Authority
    The situation is same with
    old Mercari situation. Just
    check MAT is valid or not.

    View Slide

  18. 18
    Other issuing process of PAT
    ① Service
    When a worker want
    to access
    microservice. The
    PAT is created
    based on Google ID
    Token of Google
    Service Account.
    ① Employee
    When an employee
    access to Mercari’s
    API from CS Tool a
    employee token is
    used as external
    token.

    View Slide

  19. 19
    How to handle the AuthN/AuthZ on Microservices?
    ● Summary
    ○ The MAT is used as External Token.
    ○ Token issuing Process is same with old Mercari situation.
    ○ Token verification Process is executed on Gateway/Authority Layer.
    ○ Exchange external token (MAT) to Internal token (PAT).
    ○ The Internal token(PAT) is propagated to microservices and be used AuthZ.

    View Slide

  20. 20
    IDP current projects
    ● Replacing MAT with OAuth2.0 Access Token (aka PFAT)
    ● Authentication across multiple clusters
    ● Additional Biometric Authentication (FIDO)
    ○ One stop solution for phishing prevention
    ○ Becoming a part of the FIDO alliance
    ● Resource Management
    ○ automate onboarding of oidc clients
    ● Fine-grained Authorization
    What are we currently working on?

    View Slide

  21. 21
    The ID Platform Team
    @kung

    @wicros
 @kokukuma

    @eric

    @g-varona
 @utkarsh
 @gia.nguyen

    @nikku

    @guha

    @koi

    @danny

    ● 11 members
    ● 9 nationalities
    ● 1 Engineering Manager
    ● 1 Tech Lead
    ● 3 Product Managers
    ● 6 Backend Engineers

    View Slide

  22. 22
    We are Hiring!
    We are looking for ID pros who can bring their experience and
    expertise in the domain to lay the foundation of the IDP team in
    India.

    View Slide