Skip to content

Add authentication architecture draft #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 10, 2025
Merged

Add authentication architecture draft #2

merged 1 commit into from
Nov 10, 2025

Conversation

@ootakazuhiko
Copy link
Collaborator

@ootakazuhiko ootakazuhiko commented Nov 5, 2025

Summary

  • document the proposed Google Workspace based SSO approach
  • outline passkey/MFA handling, session strategy, and data model stubs
  • describe optional Google Group sync via read-only Admin SDK access

Testing

  • not applicable

Copilot AI review requested due to automatic review settings November 5, 2025 09:08
Copilot AI reviewed Nov 5, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a new authentication architecture document (in Japanese) for an ERP4 system. The document outlines a federated authentication design using Google Workspace as the identity provider with OpenID Connect, eliminating local password storage and enabling passwordless authentication via Passkey.

Key Changes:

  • Defines authentication flow using Google Workspace OIDC with Passkey/MFA support
  • Specifies RBAC model with Google Groups integration via Directory API sync
  • Establishes session management, audit logging, and security policies

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

docs/requirements/auth-architecture.md
- **セッション長**: 1 セッション 12 時間、アイドルタイムアウト 2 時間を初期設定とし、業務要件で調整。
- **保管方法**: HTTP-only Cookie でサーバセッション管理が基本。API 呼び出しには短命 JWT を発行し、必要に応じてリフレッシュトークンを利用。
- **監査ログ**: ログイン成功/失敗、`amr`、Google `sub`、IP、User-Agent を記録。監査ログ保管期間は 2 年目安。
- **CSRF/XSS 対策**: SameSiteStrict Cookie/CSRF トークン併用。SPA の場合は BFF パターンを採用。
Copy link

Copilot AI Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing space in 'SameSiteStrict' - should be 'SameSite Strict' or 'SameSite=Strict' for clarity.

Suggested change
- **CSRF/XSS 対策**: SameSiteStrict Cookie/CSRF トークン併用。SPA の場合は BFF パターンを採用。
- **CSRF/XSS 対策**: SameSite=Strict Cookie/CSRF トークン併用。SPA の場合は BFF パターンを採用。

Copilot uses AI. Check for mistakes.
@ootakazuhiko ootakazuhiko merged commit 69db81c into main Nov 10, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ootakazuhiko