|
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 |
- # Authentication
-
- In grpc, authentication is abstracted as
- [`credentials.PerRPCCredentials`](https://godoc.org/google.golang.org/grpc/credentials#PerRPCCredentials).
- It usually also encompasses authorization. Users can configure it on a
- per-connection basis or a per-call basis.
-
- The example for authentication currently includes an example for using oauth2
- with grpc.
-
- ## Try it
-
- ```
- go run server/main.go
- ```
-
- ```
- go run client/main.go
- ```
-
- ## Explanation
-
- ### OAuth2
-
- OAuth 2.0 Protocol is a widely used authentication and authorization mechanism
- nowadays. And grpc provides convenient APIs to configure OAuth to use with grpc.
- Please refer to the godoc:
- https://godoc.org/google.golang.org/grpc/credentials/oauth for details.
-
- #### Client
-
- On client side, users should first get a valid oauth token, and then call
- [`credentials.NewOauthAccess`](https://godoc.org/google.golang.org/grpc/credentials/oauth#NewOauthAccess)
- to initialize a `credentials.PerRPCCredentials` with it. Next, if user wants to
- apply a single OAuth token for all RPC calls on the same connection, then
- configure grpc `Dial` with `DialOption`
- [`WithPerRPCCredentials`](https://godoc.org/google.golang.org/grpc#WithPerRPCCredentials).
- Or, if user wants to apply OAuth token per call, then configure the grpc RPC
- call with `CallOption`
- [`PerRPCCredentials`](https://godoc.org/google.golang.org/grpc#PerRPCCredentials).
-
- Note that OAuth requires the underlying transport to be secure (e.g. TLS, etc.)
-
- Inside grpc, the provided token is prefixed with the token type and a space, and
- is then attached to the metadata with the key "authorization".
-
- ### Server
-
- On server side, users usually get the token and verify it inside an interceptor.
- To get the token, call
- [`metadata.FromIncomingContext`](https://godoc.org/google.golang.org/grpc/metadata#FromIncomingContext)
- on the given context. It returns the metadata map. Next, use the key
- "authorization" to get corresponding value, which is a slice of strings. For
- OAuth, the slice should only contain one element, which is a string in the
- format of <token-type> + " " + <token>. Users can easily get the token by
- parsing the string, and then verify the validity of it.
-
- If the token is not valid, returns an error with error code
- `codes.Unauthenticated`.
-
- If the token is valid, then invoke the method handler to start processing the
- RPC.
|