Authentication in gRPC

[Vivek M]

HI,

I have a gRPC endpoint in my server which would stream some protocol events to a client. My server has a built-in simple username/password scheme to authenticate any client connecting to it (be it telnet/ssh/web etc). And I would like to use the same for gRPC as well. And it should also be noted that this should happen only once when the client connects for the first time.

I found a key called "grpc.security_connector" with which we can plugin our auth filter. However I am not 100% sure on whether this is the approach to be taken or is there any better way to realize this. And if there is a way out, can I found any documentation on this.

TIA,
Vivek

[Vivek M]

Folks,

Can you let know if there is a way for this?

Thanks.

[Craig Tiller]

+Julien Boeuf

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ef26c07e-f013-4664-9cc5-8c51df478468%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Julien Boeuf]

Hi Vivek,

Thanks for your question. A few points (and I will assume that you're in C++ and that you want to do something like HTTP basic auth).

We try to discourage people to use username/passwd in general for authenticating to services. Passwords are not limited in time as opposed to other tokens (JWTs, Oauth2 access tokens), or bound to a particular service and having these leak is usually catastrophic. Because of this, I don't intend to support basic auth in the gRPC code.

That being said, for your use case, you could do 2 things (one is straight forward but a little raw, the other is cleaner but support for it is lacking for now although coming soon).

1. Raw solution.

- On the client side, add some metadata call on the client context using AddMetadata. "Authorization" is the key and the value is "Basic" followed by base64(<username>:<passwd>).

- On the server side, just get the client_metadata from the server context, extract the Authorization one and check the username password.

2. Cleaner solution for which you will have to wait for some support.

- On the client side, create a new Credentials object that will automatically add the Authorization header for you. Right now it is not possible to do that in C++ but I'm planning to add this feature soon. You then set this Credentials object to your ClientContext or your Channel.

- On the server side, there is no support right now but you will soon be able to create your own AuthMetadataProcessor that will check the password, and, in your case populate the username in the AuthContext. 

The advantage of 2 over 1 is that the application code does not have to deal with the inner details of the authentication mechanisms. However, support to do this is lacking for now but is expected probably by the end of the month.

Cheers,

    Julien.

[Vivek M]

Thanks Julien for the detailed reply.

Yes, I am using C++. I will try the first option now till the cleaner solution is in. BTW I have few more clarifications required. Please confirm.

1) I assume the channel should be created with InsecureCredentials with just the metadata added in it.
2) I assume the authentication check will be per call basis and will not be one-time when the connection happens with the server. Is there a way to do it only once?

Thanks,
Vivek.

[Julien Boeuf]

Hi Vivek,

No problem, please see inline for some more.

On Thu, Jul 9, 2015 at 6:25 AM, Vivek M <vive...@gmail.com> wrote:

Thanks Julien for the detailed reply.

Yes, I am using C++. I will try the first option now till the cleaner solution is in. BTW I have few more clarifications required. Please confirm.

1) I assume the channel should be created with InsecureCredentials with just the metadata added in it.

Please use the SSL Credentials and not the InsecureCredentials. Otherwise, your channel will be completely unprotected: the traffic will be in the clear and anybody listening on the network will have access to the username/password. This would be very bad....

 

2) I assume the authentication check will be per call basis and will not be one-time when the connection happens with the server. Is there a way to do it only once?

Right. If you add the metadata for every call on the client, it will be received for every call on the server even with one connection (just like HTTP basic auth BTW). However, your server logic can be smart and cache the verification so that you don't have to hit your password DB for every single call. Note that on the server-side you cannot discriminate between connections because the ServerContext does not give you access to this information.

Does that make sense? 

[Vivek M]

Hi Julein,

Sorry for getting back late on this. My replies inline.

1) I assume the channel should be created with InsecureCredentials with just the metadata added in it.

Please use the SSL Credentials and not the InsecureCredentials. Otherwise, your channel will be completely unprotected: the traffic will be in the clear and anybody listening on the network will have access to the username/password. This would be very bad....

I very much agree. I will use SSL.
 

 

2) I assume the authentication check will be per call basis and will not be one-time when the connection happens with the server. Is there a way to do it only once?

Right. If you add the metadata for every call on the client, it will be received for every call on the server even with one connection (just like HTTP basic auth BTW). However, your server logic can be smart and cache the verification so that you don't have to hit your password DB for every single call. Note that on the server-side you cannot discriminate between connections because the ServerContext does not give you access to this information.

Ok, thanks for confirming.., lemme check this.
 

Thanks,
Vivek

[shikhach...@gmail.com]

Hey Julien ,

I need similar sort of username/password support Vivek is asking for .Is the solution 2 , you are referring in the above discussion is available now in grpc or will take little more time?

- Thanks
Shikha

[AK]

I am new to using gRPC and looking for similar authentication mechanism. It would be great if somebody can point me to some use cases or examples.

[ke jiang]

Hi Julien,

Is solution 2 available now?

- Thanks

JK

[sanjay...@google.com]

Check out call-credentials https://grpc.github.io/grpc/cpp/classgrpc_1_1_call_credentials.html