$30 off During Our Annual Pro Sale. View Details »

Introduction to the ID Platform - Mercari India DEV Meetup #01 Backend

mercari
PRO
September 12, 2022

Introduction to the ID Platform - Mercari India DEV Meetup #01 Backend

This is a team introduction of Merpay ID Platform.
Merpay, Inc. was established in November 2017 as a fully-owned subsidiary of Mercari, Inc., with the goal of starting a new business related to finance. Merpay’s mission is to build trust for a seamless society. Using the technological know how, vast user base, and foundation of data from the marketplace app Mercari, the company’s goal is not only to provide Merpay as a method of payment, but to create a new form of trust that could be used to provide various other financial services in the future.

This slide was presented at the first Mercari India DEV Meetup on the 20th August to introduce the Backend teams of Mercari group. The recording can be viewed from the link below.
https://youtu.be/w_khQWGhzic

- Speaker LinkedIn
https://www.linkedin.com/in/guha-arghya/
https://www.linkedin.com/in/utkarsh-saxena-42497a119/

Please follow us on our LinkedIn account for the latest information!
https://www.linkedin.com/company/mercari-india/

#Engineering #MercariIndia #Backend

mercari
PRO

September 12, 2022
Tweet

More Decks by mercari

Other Decks in Programming

Transcript

  1. 1 Introduction to the ID Platform @utkarsh @guha Software Engineer(IDP)

  2. 2 @guha • From Kolkata India. • Joined IDP on

    January 1 this year. • 9+ years as a SWE. • Worked mainly in E-Commerce, Geo Data and now IDP. Software Engineer(IDP)
  3. 3 Purpose of IDP Introduce appropriate authentication, access control, and

    data protection to Mercari Group services in a standard format.
  4. 4 Appropriate and standard Meaning of "appropriate" • Authentication: Sufficiently

    strong authentication • Access Control: Principle of Least Privilege • Data Protection: data mimization/unlinkability Reason for "standard" • Authentication and authorization is a basic function used in any service. Versatility. • Authentication and authorization is an important function directly linked to security incidents. Safety.
  5. 5 Why do we need an ID Platform

  6. 6 @utkarsh • From Jaipur India. • Graduated from IIT

    Roorkee, 2018. • Joined Mercari in October 2018. • Joined IDP in August 2019. • 4 years of experience at Mercari, Japan. • Worked mainly on ID platform (backend). Software Engineer(IDP)
  7. 7 Mercari in 2017 A few Client applications Mercari, Merchari

    etc Not many backend components
  8. 8 Mercari in 2017 A few Client applications Mercari, Merchari

    etc Not many backend components ② Verify MAT Client add the MAT on the Request to Mercari API. Mercari API checks if the MAT is valid or not. There is no fine-grained AuthZ. ① Issue MAT The MAT is issued on Mercari API. The MAT will be bound with user by AuthN(Password, SMS ...) on Login process.
  9. 9 Mercari in 2017 Not many backend components A few

    Client applications Mercari, Merchari etc Change 1 Migration to the Microservice Architecture Change 2 Necessity of Variety clients
  10. 10 AuthN/AuthZ in Microservices architecture • Mercari introduced Microservices architecture

    to meet the business speed. • How to handle the AuthN/AuthZ on the Microservices architecture? ◦ Where should the authentication and authorization be done? ◦ How to share the information between each microservices?
  11. 11 • Mercari’s APIs are not only for Mercari App.

    Other Type of Clients and Other party Clients want to to use the APIs. • How to handle the variety of other type and party clients? ◦ How to issue and deliver the token securely for many type of client? ◦ How to control the Authorization finer grained. AuthN/AuthZ for other type/party clients
  12. 12 Old Mercari situation • Summary ◦ Token issuing and

    verification Process is executed on Mercari API. ◦ The token is called Mercari Access Token(MAT). ◦ MAT don’t have the ability to control authorization.
  13. 13 Recent Mercari situation (2019 - 2022) Go to Microservices

    ! Move business logic from Mercari API to Microservices
  14. 14 What is the problem in this situation 2. How

    to share the information between each microservices? 1. Where should we do authentication? How to handle the AuthN/AuthZ on the Microservices architecture?
  15. 15 How to solve the problem ② PAT Private Access

    Token(PAT) is used for sharing Authentication Information ③ Authority Verify MAT and Issue PAT ① Gateway MAT is checked on Gateway layer.
  16. 16 Process to Access API ② Verify MAT and Issue

    PAT Gateway/Authority will request to Mercari API to checks if the MAT is valid or not. If it is valid, PAT will be issued. ③ Communication between microservices Each microservices check if the PAT is valid. Propagate the PAT to access other microservices ① Issue MAT The process is same with old Mercari situation.
  17. 17 Access Control ② Microservices Each microservices should check if

    the requests are allowed by the claims of PAT, like subject. In addition to checking whether the PAT is valid or not. ① Gateway/Authority The situation is same with old Mercari situation. Just check MAT is valid or not.
  18. 18 Other issuing process of PAT ① Service When a

    worker want to access microservice. The PAT is created based on Google ID Token of Google Service Account. ① Employee When an employee access to Mercari’s API from CS Tool a employee token is used as external token.
  19. 19 How to handle the AuthN/AuthZ on Microservices? • Summary

    ◦ The MAT is used as External Token. ◦ Token issuing Process is same with old Mercari situation. ◦ Token verification Process is executed on Gateway/Authority Layer. ◦ Exchange external token (MAT) to Internal token (PAT). ◦ The Internal token(PAT) is propagated to microservices and be used AuthZ.
  20. 20 IDP current projects • Replacing MAT with OAuth2.0 Access

    Token (aka PFAT) • Authentication across multiple clusters • Additional Biometric Authentication (FIDO) ◦ One stop solution for phishing prevention ◦ Becoming a part of the FIDO alliance • Resource Management ◦ automate onboarding of oidc clients • Fine-grained Authorization What are we currently working on?
  21. 21 The ID Platform Team @kung
 @wicros
 @kokukuma
 @eric
 @g-varona


    @utkarsh
 @gia.nguyen
 @nikku
 @guha
 @koi
 @danny
 • 11 members • 9 nationalities • 1 Engineering Manager • 1 Tech Lead • 3 Product Managers • 6 Backend Engineers
  22. 22 We are Hiring! We are looking for ID pros

    who can bring their experience and expertise in the domain to lay the foundation of the IDP team in India.