Mercari app access token: from proprietary to OAuth 2.0 / OIDC based

Transcript

1. 1 Mercari app access token: from proprietary to OAuth 2.0

   / OIDC based OpenID Summit Tokyo 2024 Mercari, Inc. - Identity Platform Team Gia Nguyen

2. 2 Mercari Identity Platform Agenda Issues of Mercari Access Token

   Access token migration Migration stories 02 03 04 01 Migration result 05

3. 3 Mercari Identity Platform

4. 4 Past Mercari architecture - beginning Token issuing and verification

   are done by Mercari API MAT: Mercari Access Token

5. 5 Past Mercari architecture - microservices Token issuing and verification

   still be done by Mercari API MAT: Mercari Access Token PAT: Private Access Token

6. 6 Issues of Mercari Access Token

7. 7 Issues of Mercari Access Token The token is issued

   and verified based on a proprietary spec • Hard to maintain and extend ◦ E.g. apply security best practices • Long expiration and ultimate permission • Issued and verified by legacy monolith service. ◦ This service is shared and any developer can make changes to it

8. 8 Basic approach Move from proprietary spec to OAuth 2.0

   / OIDC based spec • Wide adopted specs make it easier to maintain and handle extra requirements • More control on expiration and permission setting • Completely owned by IDP team

9. 9 Access Token Migration

10. 10 About access token migration Migrated access token for web

    Also considered for native app but postponed 2021 Migrated access token for native app 2023 2018 Started developing authorization server Initial purpose is for 3rd parties authorization

11. 11 Desired architecture Token issuing and verifying are done by

    authorization server PFAT: Platform Access Token

12. 12 Consideration points • Authentication and token issuing process •

    Solutions for various request patterns • Specifications ◦ OAuth 2.0 for Native Apps ◦ OpenID Connect Native SSO for Mobile Apps 1.0 ◦ OAuth 2.0 Token Exchange ◦ Implementing App-to-App Authorisation in OAuth2/OpenID Connect ◦ OAuth 2.0 Security Best Current Practice ◦ …

13. 13 Authentication and token issuing process • Use in-app browser

    as the user-agent and store authentication session into cookie ◦ So users don’t need to re-login in different webs/apps

14. 14 Request patterns

15. 15 Migration stories

16. 16 Already logged in users are able to do SSO

    without re-login Migration stories Support webview with better token management Authentication session should be alive if users keep using the app 02 03 01

17. 17 Already logged in users are able to do SSO

    without re-login

18. 18 Requirements • Already logged in users should use new

    token ◦ Directly exchanging old token to new token is one option • Already logged in users are able to do SSO to other apps/webs ◦ Need to create and store auth session to browser in Mercari app beforehand • Asking users to re-login inside in-app browser is not acceptable ◦ Users are already logged into native side ◦ Need to inherit the auth session

19. 19 Seamless migration Create a short-lived credential (PoA) and pass

    to /authorize endpoint

20. 20 Support webview with better token management

21. 21 Webview is unavoidable • Session is shared to the

    browser, so open every web page by external browser is basically feasible • But using webview is still preferred in some cases ◦ Better UI/UX (e.g. customizable header/footer) ◦ Easier for information sharing between native and web

22. 22 Webview use cases

23. 23 Webview that get token from native Native performs a

    token exchange to obtain a less privileged token and send to webview

24. 24 Webview that get token from authorization server Mechanism didn’t

    change, but with better credential

25. 25 Authentication session should be alive if users keep using

    the app

26. 26 • Users should be asked for re-login if don’t

    use the app for a period of time ◦ Can be controlled by refresh token and authentication session expiry ◦ Those expiry can’t be very long • But if users keep using the app, the authentication should be kept alive ◦ Be able to do SSO to other webs/apps ◦ Authentication session needs to be extended Requirements

27. 27 • Control authentication session expiry in server side ◦

    Cookie expiry needs to be set to long value • Extend session when native app refresh token is used Solution

28. 28 Some browsers have limit of cookie lifetime • E.g.

    Chrome only allow 400 days as max • Not resolved yet Challenge

29. 29 Migration result

30. 30 Migration result • The access token used in Mercari

    app has been migrated to new one in recent app versions • For iOS, final milestone was released. ◦ You can try Sign in with Passkeys! • Android final milestone will be released soon.

31. 31 Migration result - achievements • Able to proceed projects

    that prevented by old spec • The token issuing and verification is independent from an old monolith • Token expiration and permission were set more properly • Authentication sessions is shared, reduced the number of re-login failed error • Easier to improve or extend authentication feature

32. 32 Thank you for listening!