Authentication best practices for gRPC

[Charles Crain]

I am in the process of trying to implement gRPC into an existing microservice system based on HTTP.  We're trying to use grpc-gateway to bridge REST calls from a browser into back end gRPC services.  We have an existing token-based authentication mechanism that uses a JSON Web Token to represent a user session.  I am trying to figure out how best to pass this token around between gRPC services and how best to get it from HTTP land (from the browser or an external REST client) into gRPC.

I already found this, which seems to dance around my issue but is mostly client code examples without any treatment of how to get at auth token information from within a server.  The closest thing I found along these lines (I am using Scala, but there are equivalent examples in other languages) was this code sample, which uses something called an "interceptor" to get at the request headers.  The example just logs them to a file, but what I really want to do is make an asynchronous gRPC call into another service to get information about resource authorization and so forth, that varies based on what server method is being called (i.e. different server methods will require access to different resources).

In summary: how do I get at authentication information (particularly when present in gRPC headers) such that I can perform server-specific logic on it that may vary from method to method, and that may involve making gRPC calls into other services?  Secondarily, when making a gRPC call into another service from within a gRPC server, how do I ensure credentials are preserved across the call chain?

Thanks!

[Carl Mastrangelo]

We don't have a strong opinion about how to pass credentials around; we leave the decision up to you.  Only the means to propagate it are provided.  Since you are using Scala, it likely means you are using the Java runtime.  In java, Context is the way to pass this kind of information around.  You can extract credentials from the server side and put it in the context, and then put them back into the outgoing call using a client interceptor.   

MoreCallCredentials shows an example of how to do authentication before the RPC is actually sent out, including refreshing tokens.