grpc-java: How to do mutual authentication?

1,340 views

Skip to first unread message

acha...@brightcove.com

unread,

Jan 29, 2016, 3:11:43 PM1/29/16

to grpc.io

Hi,

I am building a grpc service that I would like to ensure that only authenticated clients can access. I have been looking at samples and can't find any good examples of doing it. Could someone point me to some examples or docs that may help me setup client auth.

My client code looks like this and I am trying to figure out how/where to specify client ssl private key.

File certChain = Utils.resolvePath(sslCertChainPath);
SslContext sslContext = GrpcSslContexts.forClient()
        .trustManager(certChain)
        .build();
return NettyChannelBuilder.forAddress(host, port)
        .negotiationType(NegotiationType.TLS)
        .sslContext(sslContext)
        .build();

Eric Anderson

unread,

Jan 29, 2016, 5:01:42 PM1/29/16

to acha...@brightcove.com, grpc.io

keyManager is the method you are looking for on SslContext. And if you have a Netty server as well, then clientAuth is another method in SslContext that you want.

You only need to set the trustManager on the client if the server's certificate isn't signed by a normal CA (which has nothing to do with client certificates). Since client certificates are commonly signed by a "fake" CA, then it would be common to specify trustManager on the server-side to verify the client certificates.

You might have a look at our client auth test, and you should be aware of a bug when using tcnative and Netty where the clientAuth() method didn't work. Jetty ALPN works fine. That bug has been fixed upstream, but grpc-java isn't yet compatible with that new version; we expect to be for the 0.13 release scheduled for two weeks. Only the server-side was broken.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscribe@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/f4db4002-8aab-43ae-a23f-c00b7c107a79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages