Using OAuth over TLS GRPC Golang server and client examples

[Aakarshit Naga Sai Batchu]

grpc-go has a library credentials/oauth. Link provided below

https://godoc.org/google.golang.org/grpc/credentials/oauth

Can anyone write a Simple Golang GRPC Server and Client program using OAuth over TLS for security?

[Evan Jones]

Clients that talk to Google using an OAuth credential are pretty straightforward, see the following document for sample code of how to use it.

https://github.com/grpc/grpc-go/blob/master/Documentation/grpc-auth-support.md

If you want to create a *server* that uses Google OAuth tokens, or OAuth from some other authority, you are going to need to write some code, and it seems fairly complicated. I investigated some alternatives, but they ended up requiring a fair amount of fiddling with keys. Since I was hoping to avoid that, I'm now using a stupid "shared secret" authentication mechanism which is good enough for my application for the moment.

Some stuff that I think can work, but which require some work:

* Client A gets an OAuth Access token from Google, with some scopes, and passes it to Service B. Service B then can pass that token to Google to use the service, on behalf of Client A. I think this will "just work" with the NewApplicationDefault credentials. On the server, you'll have to dig the token out of the Metadata "authentication" header

* Client A does the work to create a signed OAuth JWT token, and pass it to Service B. Service B can then verify Client A's identity by verifying the OAuth JWT. There are some Python code examples buried in Google Cloud Endpoints and Google Cloud IAP Proxy that explain how this can work:

https://cloud.google.com/endpoints/docs/using-service-to-service-authentication-grpc

https://cloud.google.com/iap/docs/authentication-howto

If you want a server that uses token from some other authority, you are definitely going to need to glue together the various JWT/OAuth implementations into GRPC.

I hope this helps. Let me know if you figure out anything easy here,

Evan

[Evan Jones]

I forgot to add: I'd recommend using your own self-signed TLS client and server certificates for authentication, if you can. That is probably the mostly clearly supported option across all gRPC implementations, IMO. There is easy sample code available for all languages.