Upgrade to Pro — share decks privately, control downloads, hide ads and more …

マイクロサービスにおける内部通信の認証について

F91225895fc7411d415604147af75cab?s=47 pospome
August 22, 2019

 マイクロサービスにおける内部通信の認証について

"Backend Engineer’s meetup ~マイクロサービスにおける認証認可基盤~"の発表資料です。
https://connpass.com/event/142624/

F91225895fc7411d415604147af75cab?s=128

pospome

August 22, 2019
Tweet

Transcript

  1. ϚΠΫϩαʔϏεͷ಺෦௨৴ʹ͓͚Δ ೝূʹ͍ͭͯ @pospome

  2. ໊લ: pospome ಡΈํ: ϙεϙϝ Twitter: @pospome ઐ໳: ɹΞϓϦέʔγϣϯΞʔΩςΫνϟ ɹ࣮૷ύλʔϯͱ͔DDDͱ͔͕ಘҙͰ͢

  3. ϝϧϖΠೝূج൫νʔϜ ϝϧΧϦɺϝϧϖΠʹ͓͚Δ ೝূೝՄΛ։ൃɺӡ༻͢ΔͨΊͷνʔϜ

  4. ೝূج൫νʔϜʹ͍ͭͯ͸ϒϩάॻ͖·ͨ͠ https://www.pospome.work/entry/2019/06/12/125841

  5. ݱঢ় ɾϢʔβʔΞΧ΢ϯτ؅ཧͱϩάΠϯॲཧ͸ͦΕͧΕͷνʔϜʹ೚ ͍ͤͯΔɻ ɾϝϧΧϦɺϝϧϖΠͷैۀһͷ؅ཧʢೖࣾɺୀ৬ʣ΍OktaʹΑΔ πʔϧ΁ͷSSO͸؅ཧ͍ͯ͠ͳ͍ɻ͍ΘΏΔࣾ಺ITͷΑ͏ͳ͜ͱ͸ ͍ͯ͠ͳ͍ɻ ɾηΩϡϦςΟ໘ʹؔͯ͠͸ηΩϡϦςΟνʔϜͱ౎౓૬ஊ͍ͯ͠ Δɻ ɾͦΕҎ֎ͷೝূೝՄ͸Ұ௨Γೝূج൫νʔϜ͕୲౰͍ͯ͠Δɻ

  6. ۩ମతʹԿΛ͍ͯ͠Δͷ͔? ɾ֎෦ʹରͯ͠OIDCͳͲͷೝՄͷ࢓૊ΈΛఏڙ͢Δɻ ɾ಺෦ͷϚΠΫϩαʔϏεؒ௨৴ͷೝূͷ࢓૊ΈΛఏڙ͢Δɻ

  7. ࠓ೔࿩͢ͷ͸͜Ε ɾ֎෦ʹରͯ͠OIDCͳͲͷೝՄͷ࢓૊ΈΛఏڙ͢Δɻ ɾ಺෦ͷϚΠΫϩαʔϏεؒ௨৴ͷೝূͷ࢓૊ΈΛఏڙ͢Δɻ

  8. ݱঢ়ͷγεςϜΞʔΩςΫνϟͱϦΫΤετϑϩʔ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService XxxService YyyService Mercari

    API 2nd Party
  9. ೝূج൫νʔϜ͸AuthorityServiceͱ͍͏ ϚΠΫϩαʔϏεΛ։ൃɾӡ༻͓ͯ͠ΓɺҎԼΛఏڙ͍ͯ͠Δ ɾ֎෦ʹର͢ΔOIDCͳͲͷೝՄͷ࢓૊Έ ɾ಺෦ͷϚΠΫϩαʔϏεؒ௨৴ͷೝূͷ࢓૊Έ

  10. ΫϥΠΞϯτ͔ΒͷϦΫΤετϑϩʔ͸େ͖͘෼͚ͯ2ͭ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService XxxService YyyService Mercari

    API 2nd Party
  11. 1.ϝϧΧϦAPIΛར༻͢Δύλʔϯ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService XxxService YyyService Mercari

    API 2nd Party
  12. 2.ϚΠΫϩαʔϏεΛར༻͢Δύλʔϯ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService XxxService YyyService Mercari

    API 2nd Party
  13. AuthorityService͸ϦΫΤετΛड͚ͯ ۩ମతʹԿΛ͍ͯ͠Δͷ͔? ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService XxxService YyyService

    Mercari API 2nd Party
  14. AuthorityService͸ԿΛ͍ͯ͠Δͷ͔? 1.֎෦͔ΒͷϦΫΤετͷݕূ 2.಺෦௨৴ʹར༻͢Δ಺෦௨৴༻τʔΫϯͷੜ੒

  15. AuthorityService͸ԿΛ͍ͯ͠Δͷ͔? 1.֎෦͔ΒͷϦΫΤετͷݕূ 2.಺෦௨৴ʹར༻͢Δ಺෦௨৴༻τʔΫϯͷੜ੒

  16. ɾࡶʹݴ͏ͱϦΫΤετ͕࣋ͭΞΫηετʔΫϯͱ͔Λݕূ͍ͯ͠Δɻ ɾશͯͷϦΫΤετΛAuthorityService͕ݕূͰ͖ΔΘ͚Ͱ͸ͳ͍ɻ ɾϦΫΤετͷݕূ͕ՄೳͳϚΠΫϩαʔϏεʹݕূͯ͠΋Β͏ɻ ɾݕূ͕ෆཁͳϦΫΤετ͸ݕূ͠ͳ͍ɻ ɾ֤ϚΠΫϩαʔϏε͸ݕূࡁΈͷϦΫΤετΛड͚औΔɻ Gateway AuthorityService AaaService BbbService Mercari

    API ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party 2nd Party
  17. AuthorityService͸ԿΛ͍ͯ͠Δͷ͔? 1.֎෦͔ΒͷϦΫΤετͷݕূ 2.಺෦௨৴ʹར༻͢Δ಺෦௨৴༻τʔΫϯͷੜ੒

  18. ɾAuthorityService͸֎෦͔ΒͷϦΫΤετΛݕূͨ͋͠ͱʹɺ಺෦༻௨৴ τʔΫϯΛੜ੒ͯ͠Gatewayʹฦ͍ͯ͠Δɻ ɾGateway͸಺෦༻௨৴τʔΫϯΛ෇༩ͨ͠ϦΫΤετΛ֤ϚΠΫϩαʔϏ εʹྲྀ͢ɻ Gateway AuthorityService AaaService BbbService Mercari API

    ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party 2nd Party XxxService ಺෦௨৴༻τʔΫϯΛฦ͢ ಺෦௨৴༻τʔΫϯΛ ෇༩ͨ͠ϦΫΤετ
  19. ɾϚΠΫϩαʔϏεؒͷ௨৴ʹ͸಺෦௨৴༻τʔΫϯΛར༻͢Δɻ ɾ಺෦௨৴༻τʔΫϯ͸֎෦͔ΒͷϦΫΤετʹར༻͢ΔτʔΫϯͱ͸ผͷ΋ͷɻ ɾ֤ϚΠΫϩαʔϏε͸಺෦௨৴༻τʔΫϯΛݕূ͢Δɻ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ Gateway AuthorityService XxxService YyyService Mercari

    API ZzzService WwwService 3rd Party 2nd Party
  20. ͜ͷ಺෦௨৴༻τʔΫϯ͕ ϚΠΫϩαʔϏεؒͷ௨৴Λࢧ͍͑ͯΔ

  21. 1ϦΫΤετ1τʔΫϯ ɾAuthorityService͸1ϦΫΤετ͝ͱʹ1ͭͷτʔΫϯ Λੜ੒͢Δɻ ɾ֤ϚΠΫϩαʔϏε͸ϦΫΤετ಺ͷτʔΫϯΛݕূ ͢Δɻ

  22. ֤ϚΠΫϩαʔϏε͕ݕূ͢ΔτʔΫϯ͸ಉ͡΋ͷ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ Gateway AuthorityService XxxService YyyService Mercari API ZzzService

    WwwService 3rd Party 2nd Party
  23. ಺෦τʔΫϯ͸JWTΛ࠾༻ ɾ֤ϚΠΫϩαʔϏε͸AuthorityService͕ఏڙ͢Δެ։ 伴Λऔಘ͠ɺτʔΫϯΛݕূ͢Δɻ ɾ֤ϚΠΫϩαʔϏε͸ެ։伴ΛΩϟογϡ͢ΔͷͰɺ τʔΫϯΛݕূ͢ΔͨΊʹAuthorityServiceʹΞΫηε ͢Δඞཁ͸ͳ͍ɻ ɾ೚ҙͷ஋Λ࣋ͨͤΔ͜ͱ͕Ͱ͖Δɻ

  24. ಺෦τʔΫϯ༻ͷSDKΛఏڙ ɾೝূج൫νʔϜ͕ఏڙ͍ͯ͠ΔSDK͸GoݴޠͷΈ ɾ֤ϚΠΫϩαʔϏεͰಉ͡ϩδοΫΛॻ͘ඞཁ͸ͳ͍

  25. ಺෦τʔΫϯ༻ͷSDK͕ఏڙ͢Δػೳ ɾ಺෦τʔΫϯΛݕূ͢ΔgRPCͷintercepter&HTTPͷ middlewareΛఏڙ ɾ಺෦τʔΫϯͷ֤ΫϨʔϜΛ͍͍ײ͡ʹऔಘ͢Δ͜ͱ ͕Ͱ͖Δ࢓૊Έ ɾgoroutineΛ্ཱͪ͛ͯఆظతʹެ։伴Λऔಘ͠ɺSDK ಺෦ʹΩϟογϡ͢Δ࢓૊ΈΛఏڙ

  26. ෳ਺छྨͷIDΛѻ͑ΔSubjectID ɾ಺෦τʔΫϯ͸SubjectIDͱ͍͏IDΛ࣋ͭɻ ɾෳ਺छྨͷIDΛ࣋ͭͷͰͦΕΒΛ1ͭͷIDମܥͰѻ͑ ΔΑ͏ʹͨ͠࢓૊Έɻ ɾSubjectID͸จࣈྻͰ͋ΓɺType෦෼ͱValue෦෼Ͱߏ ੒͞ΕΔɻex. mercari_app:100, partner_site:aaa ɾ֤ϚΠΫϩαʔϏε͸Type, ValueʹΑͬͯϦΫΤετ

    ͷόϦσʔγϣϯ͕ՄೳʹͳΔɻ
  27. ϚΠΫϩαʔϏεؒͷΞΫηε੍ޚ ɾϚΠΫϩαʔϏεؒͷ௨৴͸಺෦௨৴Ͱ͸͋Δ͕ɺͦ ΕΛ׬શʹ৴༻͢ΔͷͰ͸ͳ͘ɺద੾ͳΞΫηε੍ޚ͸ ඞཁʹͳΔɻ ɾྫ͑͹ʮܾࡁͱ͍͏ϢʔεέʔεͰ͸ TransactionServiceʹͷΈΞΫηεͰ͖Δʯͱ͔ɻ ɾ࣮૷ϛε΍ૢ࡞ϛεʹΑΔຊདྷҙਤ͠ͳ͍ΞΫηεΛ ๷͙ɻ

  28. ಺෦είʔϓͱ͸ ɾΠϝʔδͱͯ͠͸OIDCͱ͔Ͱར༻͢ΔೝՄείʔϓͷ ಺෦௨৴൛ɻ ɾϚΠΫϩαʔϏεؒͷΞΫηεΛ੍ޚ͢ΔͨΊͷ࢓૊ Έɻ ɾ಺෦τʔΫϯ͸಺෦είʔϓΛ࣋ͭɻ

  29. ಺෦είʔϓ͸֤ϚΠΫϩαʔϏε͕࣋ͭϦιʔεʹରͯ͠ఆٛ͢Δɻ ྫ͑͹UserService͕Userͱ͍͏ϦιʔεΛ͍࣋ͬͯͨͱ͢Δͱɺ”user”ͱ͍͏಺෦είʔϓΛఆٛ͢Δɻ ͜ΕʹΑΓɺUserServiceͷUserͱ͍͏ϦιʔεʹΞΫηε͢Δʹ͸ɺ ”user”ͱ͍͏಺෦είʔϓΛ͍࣋ͬͯΔ಺෦τʔΫϯ͕ඞཁʹͳΔ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService

    UserService Mercari API internal_scope=“user”
  30. ݱࡏɺ಺෦είʔϓ͸3rd Party͔ΒͷϦΫΤετʹରͯ͠ͷΈར༻͍ͯ͠Δɻ ཧ༝ͱͯ͠͸3rd Partyʹఏڙ͢ΔΞΫηετʔΫϯʹ͸ೝՄείʔϓ͕ඥ͍͍ͮͯΔ͔Βɻ ˎ3rd Partyʹఏڙ͢ΔΞΫηετʔΫϯʹඥͮ͘ೝՄείʔϓΛ֎෦είʔϓͱݺͼ·͢ɻ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party

    Gateway AuthorityService UserService Mercari API external_scope=“user”
  31. ֎෦είʔϓΛͦͷ··಺෦είʔϓʹηοτ͢Δ͜ͱ͕Ͱ͖Δɻ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService UserService Mercari API

    internal_scope=“user” external_scope=“user” external_scopeͷ஋Λ಺෦είʔϓͱͯ͠ ಺෦τʔΫϯʹηοτ͢Δ
  32. ֎෦είʔϓͱ಺෦είʔϓ͕Ұக͍ͯ͠ͳ͍৔߹͕͋Δ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService Transaction Service Mercari

    API external_scope=“transaction” internal_scope=“transaction” UserService internal_scope=“transaction”
  33. ֎෦ΫϥΠΞϯτͷೝՄείʔϓ͕૿͑Δͨͼʹ ֤ϚΠΫϩαʔϏε΋ड͚ೖΕՄೳͳείʔϓΛ૿΍͞ͳ͚Ε͹ͳΒͳ͍ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService Listing Service

    Mercari API external_scope=“listing” internal_scope=“listing” UserService internal_scope=“listing” internal_scope=“transaction” internal_scope=“user”
  34. ຊདྷ͋Δ΂͖࢟ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ ύʔτφʔ Gateway AuthorityService Transaction Service Mercari API

    external_scope=“transaction” internal_scope=“transaction” UserService internal_scope=“user”
  35. ͳͥ͜͏͍͏໰୊͕ى͜Δͷ͔? ֎෦είʔϓˠϢʔεέʔεϕʔε ಺෦είʔϓˠϦιʔεϕʔε

  36. AuthorityServiceͰείʔϓಉ࢜ΛϚοϐϯά͢ΔςʔϒϧΛ ؅ཧ͢Δ͜ͱͰղܾ͢Δ ֎෦είʔϓ ಺෦είʔϓ user user transaction transaction,user listing listing,user

  37. AuthorityService͸external_scope=“transaction”ʹରԠ͢Δ internal_scope=“transaction”ͱ”user”Λ಺෦είʔϓʹηοτ͢Δɻ ͜ΕʹΑͬͯ಺෦τʔΫϯ͕TransactionServiceͱUserServiceʹΞΫηεͰ͖ΔΑ͏ʹͳΔɻ ϝϧΧϦΞϓϦ ύʔτφʔαΠτ 3rd Party Gateway AuthorityService Transaction

    Service Mercari API external_scope=“transaction” internal_scope=“transaction” UserService internal_scope=“user” external_scope=transaction ↓ internal_scope=“transaction”, “user”
  38. ͦͷଞͷ಺෦௨৴༻τʔΫϯͷϝϦοτ ɾϚΠΫϩαʔϏε͕ѻ͏τʔΫϯΛ1छྨʹͰ͖Δɻ ɾ֎෦ͷΫϥΠΞϯτ͔Β௚઀ϚΠΫϩαʔϏεʹΞΫ ηε͞ΕΔ͜ͱΛ๷͙͜ͱ͕Ͱ͖Δɻ ɾAuthorityServiceʹΑͬͯݕূࡁΈͷϦΫΤετͰ͋Δ ͜ͱΛอূͰ͖Δɻ ɾ֎෦ͷΫϥΠΞϯτ͕࣋ͭΞΫηετʔΫϯΑΓ΋୹ ͍༗ޮظݶΛઃఆͰ͖Δɻ

  39. ͪΌΜͱͰ͖ͯΔҹ৅Λ͔࣋ͬͨ΋͠Ε·ͤΜ͕ɺ ·ͩ·ͩ՝୊͸͋ΔͷͰҾ͖ଓ͖ؤு͍͖ͬͯ·͢ ʢ´ɾωɾ`ʣ

  40. ͓ΘΓ