1 Introduction to the ID Platform @utkarsh @guha Software Engineer(IDP)

2 @guha ● From Kolkata India. ● Joined IDP on January 1 this year. ● 9+ years as a SWE. ● Worked mainly in E-Commerce, Geo Data and now IDP. Software Engineer(IDP)

3 Purpose of IDP Introduce appropriate authentication, access control, and data protection to Mercari Group services in a standard format.

4 Appropriate and standard Meaning of "appropriate" ● Authentication: Sufficiently strong authentication ● Access Control: Principle of Least Privilege ● Data Protection: data mimization/unlinkability Reason for "standard" ● Authentication and authorization is a basic function used in any service. Versatility. ● Authentication and authorization is an important function directly linked to security incidents. Safety.

5 Why do we need an ID Platform

6 @utkarsh ● From Jaipur India. ● Graduated from IIT Roorkee, 2018. ● Joined Mercari in October 2018. ● Joined IDP in August 2019. ● 4 years of experience at Mercari, Japan. ● Worked mainly on ID platform (backend). Software Engineer(IDP)

7 Mercari in 2017 A few Client applications Mercari, Merchari etc Not many backend components

8 Mercari in 2017 A few Client applications Mercari, Merchari etc Not many backend components ② Verify MAT Client add the MAT on the Request to Mercari API. Mercari API checks if the MAT is valid or not. There is no fine-grained AuthZ. ① Issue MAT The MAT is issued on Mercari API. The MAT will be bound with user by AuthN(Password, SMS ...) on Login process.

9 Mercari in 2017 Not many backend components A few Client applications Mercari, Merchari etc Change 1 Migration to the Microservice Architecture Change 2 Necessity of Variety clients

10 AuthN/AuthZ in Microservices architecture ● Mercari introduced Microservices architecture to meet the business speed. ● How to handle the AuthN/AuthZ on the Microservices architecture? ○ Where should the authentication and authorization be done? ○ How to share the information between each microservices?

11 ● Mercari’s APIs are not only for Mercari App. Other Type of Clients and Other party Clients want to to use the APIs. ● How to handle the variety of other type and party clients? ○ How to issue and deliver the token securely for many type of client? ○ How to control the Authorization finer grained. AuthN/AuthZ for other type/party clients

12 Old Mercari situation ● Summary ○ Token issuing and verification Process is executed on Mercari API. ○ The token is called Mercari Access Token(MAT). ○ MAT don’t have the ability to control authorization.

13 Recent Mercari situation (2019 - 2022) Go to Microservices ! Move business logic from Mercari API to Microservices

14 What is the problem in this situation 2. How to share the information between each microservices? 1. Where should we do authentication? How to handle the AuthN/AuthZ on the Microservices architecture?

15 How to solve the problem ② PAT Private Access Token(PAT) is used for sharing Authentication Information ③ Authority Verify MAT and Issue PAT ① Gateway MAT is checked on Gateway layer.

16 Process to Access API ② Verify MAT and Issue PAT Gateway/Authority will request to Mercari API to checks if the MAT is valid or not. If it is valid, PAT will be issued. ③ Communication between microservices Each microservices check if the PAT is valid. Propagate the PAT to access other microservices ① Issue MAT The process is same with old Mercari situation.

17 Access Control ② Microservices Each microservices should check if the requests are allowed by the claims of PAT, like subject. In addition to checking whether the PAT is valid or not. ① Gateway/Authority The situation is same with old Mercari situation. Just check MAT is valid or not.

18 Other issuing process of PAT ① Service When a worker want to access microservice. The PAT is created based on Google ID Token of Google Service Account. ① Employee When an employee access to Mercari’s API from CS Tool a employee token is used as external token.

19 How to handle the AuthN/AuthZ on Microservices? ● Summary ○ The MAT is used as External Token. ○ Token issuing Process is same with old Mercari situation. ○ Token verification Process is executed on Gateway/Authority Layer. ○ Exchange external token (MAT) to Internal token (PAT). ○ The Internal token(PAT) is propagated to microservices and be used AuthZ.

20 IDP current projects ● Replacing MAT with OAuth2.0 Access Token (aka PFAT) ● Authentication across multiple clusters ● Additional Biometric Authentication (FIDO) ○ One stop solution for phishing prevention ○ Becoming a part of the FIDO alliance ● Resource Management ○ automate onboarding of oidc clients ● Fine-grained Authorization What are we currently working on?

21 The ID Platform Team @kung
 @wicros
 @kokukuma
 @eric
 @g-varona
 @utkarsh
 @gia.nguyen
 @nikku
 @guha
 @koi
 @danny
 ● 11 members ● 9 nationalities ● 1 Engineering Manager ● 1 Tech Lead ● 3 Product Managers ● 6 Backend Engineers

22 We are Hiring! We are looking for ID pros who can bring their experience and expertise in the domain to lay the foundation of the IDP team in India.