Auth Team Introduction

TIER IV Auth Team

Auth Team

01 About Auth Team 02 What Auth Team Does 03 Technology Stack Table of Content

About Auth Team 01

TIER IV Team Objectives The team is dedicated to delivering secure authentication and authorization services for end-users and Web.Auto developers. We offer a streamlined system for effortless and accurate permission management for all users. Building an identity service Establishing a secure authorization system Providing fine-grained permission management

TIER IV Culture Small team, big output Committed to OSS, grow with OSS Specialized in authentication/authorization, while also adept at managing other cross-cutting systems Dedicated to continuous improvements improvement for implementation and development environment Enthusiastic about exploring modern technologies from small

TIER IV About Us Tech Blog Presentation Auth Team Our People

What Auth Team Does 02

TIER IV Modern Systems at Unique SaaS Modern technology stack with minimal legacy constraints Utilizing cutting-edge tools like the Go language and AWS ECS Supporting Web.Auto micro-services Platform standing out as a unique B2B SaaS solution Offering a tailored experience not limited to web interfaces alone Getting each vehicle its own distinct identity Systems serving both developers and end-users Designing fine-grained access control at autonomous driving systems

TIER IV The team is responsible for the maintenance of the flow in the infographic, which outlines the steps to launch a Web.Auto Authentication & Authorization service. First, the user accesses a Web.Auto service, such as the frontend app. This triggers the authorization code flow. Once the user signs into their TIER IV account, the frontend app obtains the access token and ID token. Next, the frontend app requests a token exchange from Web.Auto auth for its access token. With this token, the frontend app can then utilize any Web.Auto APIs. 01 Authorization Code Flow Frontend App Identity Provider/OpenID Provider (Relying Party) AWS Cognito TIER IV Account (For Vehicle) (For Person) 02 Token Request 04 API Request (Token Exchange) 03 Check Subject With Access Token Service API Web.Auto Auth (Authorization Server) (Resource Server) 05 Token Assertion Auth Team

Account Identity Provider & OpenID Provider

TIER IV Single Sign-On The TIER IV account serves as an account service, facilitating seamless single sign-on access. 01 Login and Get IdP Access Token TIER IV Account 02 Exchange IdP Access Token and Web.Auto Access Token Web.Auto Auth (Authorization Server) Users sign in to Web.Auto services using TIER IV account. Web.Auto Service A 03 Use Services with Web.Auto Access Token Web.Auto Service B Auth Team

TIER IV Build with Ory’s OSS Stack The TIER IV account is powered by Ory's open source solutions. ory/kratos (IdP) Architecture of TIER IV account ory/oathkeeper tier4/poseidon (IAP) (in-house Implementation) ory/hydra (OpenID Provider) Auth Team

Auth Permission Management & Authorization for All Web.Auto APIs

TIER IV Token Exchange Using Web.Auto Auth, we have established a process that exchanges access tokens or ID tokens issued by TIER IV accounts and AWS Cognito. This means our Web.Auto systems are free from the complexities of managing authenticators. 01 Authorization Code Flow Frontend App Identity Provider/OpenID Provider (Relying Party) AWS Cognito TIER IV Account (For Vehicle) (For Person) 02 Token Request (Token Exchange) 03 Check Subject Web.Auto Auth Service API (Authorization Server) (Resource Server) Auth Team

TIER IV Client Credentials Grant Web.Auto Auth also supports client credentials grant. App Identity Provider/OpenID Provider (Relying Party) AWS Cognito TIER IV Account (For Vehicle) (For Person) 01 Client Credentials Flow Web.Auto Auth Service API (Authorization Server) (Resource Server) Auth Team

TIER IV Token Assertion We ensure that Web.Auto Auth simplifies token scope authorization for Web.Auto services by providing a token assertion API for effortless verification of a token's permissions, thus mitigating the complexities of parsing scope strings. Frontend App Identity Provider/OpenID Provider (Relying Party) AWS Cognito TIER IV Account (For Vehicle) (For Person) 01 API Request With Access Token Web.Auto Auth Service API (Authorization Server) (Resource Server) 02 Token Assertion “Does this token have the permission?” “Can this project use the feature?” “Is this app usable in the project?” Auth Team

TIER IV We enable fine-grained permission management, where users can manage permissions through roles and Role Based Access Control (RBAC) groups, utilizing Role-Based Access Control (RBAC). Importantly, the organization and project structures embody separate yet distinct permission management systems within Web.Auto. Organization Owner Project Owner Organization Project Resource Group Role Resource Resource Auth Team

TIER IV Feature Toggle Beyond user permissions, we provide feature toggles tailored to each project, ensuring that features are activated based on contracts and deactivated when not in use within a project. Project Owner 02 Disable Features We don't use the feature in our project. Web.Auto Auth Token Assertion “Can this project use the feature?” (Authorization Server) Service API (Resource Server) 01 Enable Features Contract Auth Team

TIER IV Client Application Permission We use client application permissions to enable API usage while restricting the application's access in specific scenarios. Frontend App (Client Application) API Request This flow is taken in cases where users can use the API Token Assertion Web.Auto Auth “Is this app usable in the project?” (Authorization Server) in the project but cannot use the frontend app. 01 Enable Client Application Contract Auth Team With Access Token Service API (Resource Server)

Contract Contract Management

TIER IV Manage Service Quotas We go beyond mere authentication and authorization, taking responsibility for building essential systems like the contract management system, relieving other teams of this burden. Enable Features Enable Client Application Contract Web.Auto Auth (Authorization Server) Contract Manager Set Service Quotas ex. “How many vehicles can they make in this project?” Web.Auto Service A Auth Team

Technology Stack 03

TIER IV Tech Stack We mainly rely on the Go language for our server applications. We also utilize TypeScript and Python for certain SDKs and tools to align with the preferences of other teams. Auth Team Fargate Lambda Batch Aurora DynamoDB X-Ray

TIER IV CONTACT US https://tier4.jp/careers/ THANK YOU Auth Team

• https://tier4.jp/careers/