1 Mercari app access token: from proprietary to OAuth 2.0 / OIDC based OpenID Summit Tokyo 2024 Mercari, Inc. - Identity Platform Team Gia Nguyen 

2 Mercari Identity Platform Agenda Issues of Mercari Access Token Access token migration Migration stories 02 03 04 01 Migration result 05 

3 Mercari Identity Platform 

4 Past Mercari architecture - beginning Token issuing and verification are done by Mercari API MAT: Mercari Access Token 

5 Past Mercari architecture - microservices Token issuing and verification still be done by Mercari API MAT: Mercari Access Token PAT: Private Access Token 

6 Issues of Mercari Access Token 

7 Issues of Mercari Access Token The token is issued and verified based on a proprietary spec ● Hard to maintain and extend ○ E.g. apply security best practices ● Long expiration and ultimate permission ● Issued and verified by legacy monolith service. ○ This service is shared and any developer can make changes to it 

8 Basic approach Move from proprietary spec to OAuth 2.0 / OIDC based spec ● Wide adopted specs make it easier to maintain and handle extra requirements ● More control on expiration and permission setting ● Completely owned by IDP team 

9 Access Token Migration 

10 About access token migration Migrated access token for web Also considered for native app but postponed 2021 Migrated access token for native app 2023 2018 Started developing authorization server Initial purpose is for 3rd parties authorization 

11 Desired architecture Token issuing and verifying are done by authorization server PFAT: Platform Access Token 

12 Consideration points ● Authentication and token issuing process ● Solutions for various request patterns ● Specifications ○ OAuth 2.0 for Native Apps ○ OpenID Connect Native SSO for Mobile Apps 1.0 ○ OAuth 2.0 Token Exchange ○ Implementing App-to-App Authorisation in OAuth2/OpenID Connect ○ OAuth 2.0 Security Best Current Practice ○ … 

13 Authentication and token issuing process ● Use in-app browser as the user-agent and store authentication session into cookie ○ So users don’t need to re-login in different webs/apps 

14 Request patterns 

15 Migration stories 

16 Already logged in users are able to do SSO without re-login Migration stories Support webview with better token management Authentication session should be alive if users keep using the app 02 03 01 

17 Already logged in users are able to do SSO without re-login 

18 Requirements ● Already logged in users should use new token ○ Directly exchanging old token to new token is one option ● Already logged in users are able to do SSO to other apps/webs ○ Need to create and store auth session to browser in Mercari app beforehand ● Asking users to re-login inside in-app browser is not acceptable ○ Users are already logged into native side ○ Need to inherit the auth session 

19 Seamless migration Create a short-lived credential (PoA) and pass to /authorize endpoint 

20 Support webview with better token management 

21 Webview is unavoidable ● Session is shared to the browser, so open every web page by external browser is basically feasible ● But using webview is still preferred in some cases ○ Better UI/UX (e.g. customizable header/footer) ○ Easier for information sharing between native and web 

22 Webview use cases 

23 Webview that get token from native Native performs a token exchange to obtain a less privileged token and send to webview 

24 Webview that get token from authorization server Mechanism didn’t change, but with better credential 

25 Authentication session should be alive if users keep using the app 

26 ● Users should be asked for re-login if don’t use the app for a period of time ○ Can be controlled by refresh token and authentication session expiry ○ Those expiry can’t be very long ● But if users keep using the app, the authentication should be kept alive ○ Be able to do SSO to other webs/apps ○ Authentication session needs to be extended Requirements 

27 ● Control authentication session expiry in server side ○ Cookie expiry needs to be set to long value ● Extend session when native app refresh token is used Solution 

28 Some browsers have limit of cookie lifetime ● E.g. Chrome only allow 400 days as max ● Not resolved yet Challenge 

29 Migration result 

30 Migration result ● The access token used in Mercari app has been migrated to new one in recent app versions ● For iOS, final milestone was released. ○ You can try Sign in with Passkeys! ● Android final milestone will be released soon. 

31 Migration result - achievements ● Able to proceed projects that prevented by old spec ● The token issuing and verification is independent from an old monolith ● Token expiration and permission were set more properly ● Authentication sessions is shared, reduced the number of re-login failed error ● Easier to improve or extend authentication feature 

32 Thank you for listening!