kerberos support for grpc?

[alpha....@gmail.com]

Hi all,

I read that gRPC supports custom authentication methods and have oauth2 and tls support built-in. I wonder if grpc can be made to support kerberos? http/2 is relatively new and so far from the w3c discussion there seems to be no support for kerberos. I wonder if the custom authentication mechanism in gRPC will allow kerberos?

Thanks!

Alpha

[Eric Anderson]

On Thu, Jun 2, 2016 at 3:13 PM, <alpha....@gmail.com> wrote:

I read that gRPC supports custom authentication methods and have oauth2 and tls support built-in. I wonder if grpc can be made to support kerberos?

Mostly not.

http/2 is relatively new and so far from the w3c discussion there seems to be no support for kerberos.

This is unsurprising given that the current Kerberos handshake for HTTP/1 doesn't really work in HTTP/2, and was even wonky in HTTP/1. Basically, it authenticates a connection and requires multiple requests/replies to complete. That makes it quite awkward in HTTP/2.

I wonder if the custom authentication mechanism in gRPC will allow kerberos?

The custom authentication is strongly targeted for individual request authentication on a secure channel. It does not support, for example, per-request MACs which I'm pretty certain is necessary for Kerberos. HTTP standards that use MACs apply that MAC to the entire request, which is incompatible with gRPC streams. MACs are necessary when using unencrypted channels, but when using TLS they aren't necessary at the HTTP layer because TLS is doing them.