Auth Platform Onboarding

● Name ○ Takashi MIMA a.k.a @task ○ Slack: @task(mima) ● Team ○ IDP(IDentity Platform) ○ in charge of Authentication/Authorization in Mercari Introduction 2

Goals ● To understand roles of main access tokens issued in Mercari ● To understand reasons why main access tokens are needed ● To understand ways to issue/use main access tokens Non-Goals ● To understand fundamental specification such as OAuth 2.0 and OpenID Connect ● To understand specific implementations for them Goals / Non-Goals of this onboarding 3

1. Overview of Mercari architecture 2. Authentication 3. Authorization 4. Wrap up Table of Contents 4

Overview of Mercari architecture Mercari k8s clusters 5 XXX Microservice Gateway Microservice YYY Microservice ZZZ Microservice mercari- authority Client External Access Token External Access Token Internal Access Token Internal Access Token Internal Access Token Internal Access Token Internal Access Token

Gateway-Authority layer(External Access Token) ● identify a user ● grant privileges for clients ○ for security/privacy reasons ● access control Microservices layer(Internal Access Token) ● propagate attached privileges properly ○ for a lot of microservices ● access control IDP’s Requirements(Responsibilities) 6

Q. How does Mercari meet their requirements? 🤔 7

A. By mechanisms of Authentication / Authorization 8

Authentication vs Authorization Authentication Authorization Main purpose determine whether users are who they claim to be determine which resources and features users can / cannot access Provided methods in Mercari SNS(Apple, Facebook, Google, Docomo, LINE), Email+Password, SMS, FIDO Access Tokens, Refresh Tokens How we manage by Proof of Authentication(PoA) / OPSession PlatformAccessToken(PFAT), PrivateAccessToken(PAT), etc… 9

Authentication vs Authorization Authentication Authorization Main purpose determine whether users are who they claim to be determine which resources and features users can / cannot access Provided methods in Mercari SNS(Apple, Facebook, Google, Docomo, LINE), Email+Password, SMS, FIDO Access Tokens, Refresh Tokens How we manage by Proof of Authentication(PoA) / OPSession PlatformAccessToken(PFAT), PrivateAccessToken(PAT), etc… 10

Provided methods for Authentication ● SNS ○ Apple, Google, LINE, Facebook, (Docomo) ● email + password ● SMS ● FIDO(Passkeys) ● (passcode) 11

● JWT to prove that a user has been authenticated ○ authenticating microservices can verify whether PoA is tampered with the signature ● PoA use cases ○ issue sessions ○ issue PFAT ○ etc… Proof of Authentication(PoA) 14

● HTTP Session stored in Cookie ● issued by calling /opsession endpoint with PoA OpenID Provider Session(OPSession) 15

Authentication vs Authorization Authentication Authorization Main purpose determine whether users are who they claim to be determine which resources and features users can / cannot access Provided methods in Mercari SNS(Apple, Facebook, Google, Docomo, LINE), Email+Password, SMS, FIDO Access Tokens, Refresh Tokens How we manage by Proof of Authentication(PoA) / OPSession PlatformAccessToken(PFAT), PrivateAccessToken(PAT), etc… 14

● Framework to realize limited access to an HTTP service ○ defined by RFC 6749 OAuth 2.0: Authorization Framework 15

Access Token ● String to access protected resources ○ It indicates permissions to access resources on behalf of an end user ○ represents specific scopes and short durations of access ■ can be used for access controls Refresh Token ● String to issue Access Token ○ it doesn’t require users re-authentication Access Token / Refresh Token 16

Major Access Tokens in Mercari Platform Access Token(PFAT) Private Access Token(PAT) Role ・access to Gateway-Authority ・access to microservices Way to issue ・follow OAuth 2.0 Authorization Grants ・call /authorize + /token ・Gateway-Authority issues PAT by authenticating external tokens Format ・Opaque ・JWT ・JWT 17

Overview of Mercari architecture Mercari k8s clusters 18 XXX Microservice Gateway Microservice YYY Microservice ZZZ Microservice mercari- authority Client External Access Token External Access Token Internal Access Token Internal Access Token Internal Access Token Internal Access Token Internal Access Token

Overview of Mercari architecture Mercari k8s clusters 19 XXX Microservice Gateway Microservice YYY Microservice ZZZ Microservice mercari- authority Client PFAT PFAT PAT PAT PAT PAT PAT

● Two types of OIDC clients along an industry standard ○ defined in RFC 6749 OIDC clients: confidential vs public Confidential Public Clients are able to keep their credentials safe O X Use cases Web Application User-Agent Based Application / Native Application Examples Mercari Web Application / OIDC clients used in microservices Mercari Native Applications (iOS / Android) 25

Summary until issuing PFAT / PAT 30 authority authority

Wrap Up

Roles of access tokens issued in Mercari ● PFAT: Access tokens to access to API via Gateway ● PAT: Access tokens to access to API of microservices Reasons why access tokens are needed ● Grant privileges, Propagate privileges, Access control Way to issue / use access tokens ● PFAT: Use OIDC clients issued by IDP team ○ Public clients, Confidential clients ● PAT: issue by mercari-authority Wrap Up: Goals of this onboarding 23