Guidance on implementing support for authenticated and secure client connections

[chris....@gmail.com]

I'm looking into how to support client connections to disparate services using custom oAuth2 tokens. The services may or may not support SSL/TLS.

I have created a custom authenticator plugin following the sample code at https://grpc.io/docs/guides/auth.html.

I build my custom call credentials and store them using a CompositeChannelCredientials object

auto call_creds = grpc::MetadataCredentialsFromPlugin(std::unique_ptr<grpc::MetadataCredentialsPlugin>(new MyCustomAuthenticator(accessToken)));

if (secure)

    mCredentials = grpc::CompositeChannelCredentials(grpc::SslCredentials(opts), call_creds);
else

    mCredentials = grpc::CompositeChannelCredentials(grpc::InsecureChannelCredentials(), call_creds);

However, I noticed during debugging that mCredentials is nullptr when connecting to a service that doesn't support SSL/TLS. It looks like CompositeChannelCredentials attempts to cast the InsecureChannelCredentials to SecureChannelCredentials, with this cast returning NULL.

Is there any documentation or sample code of how to make an authenticated call over an insecure channel? Is this something that's currently supported in the C++ API?

[chris....@gmail.com]

I was able to get this working by simply calling AddMetadata on the client context to set the authorization header. This appears to work for both secure and insecure connections, so I'll go with this approach rather than using the custom authenticator.

[Yang Gao]

I do not think we support that. Actually I think tokens are intentionally dropped if the channel is not secure to avoid leaking the tokens over the wire.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscribe@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ef391109-95d8-4a1b-af5f-b0d5b46e4207%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[xy...@hortonworks.com]

This seems to be for grpc c++ only. Similar class like MetadataCredentialsFromPlugin or CompositeChannelCredentials do not exist in GRPC Java.

[Benjamin Krämer]

Yang Gao is right, those get intentionally dropped. You should not workaround that and send them over a unsecured medium if you are not absolutely sure this is no security risk: Like when this application never gets in contact with the internet and only runs inside of a company network.