As outlined in the gRPC authentication guide there are a number of different mechanisms for asserting identity between an client and server. We'll present some code-samples here demonstrating how to provide TLS support encryption and identity assertions as well as passing OAuth2 tokens to services that support it.
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")))
creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)
if err != nil {
log.Fatalf("Failed to generate credentials %v", err)
}
lis, err := net.Listen("tcp", ":0")
server := grpc.NewServer(grpc.Creds(creds))
...
server.Serve(lis)
For an example of how to configure client and server to use OAuth2 tokens, see here.
Clients may use
metadata.MD
to store tokens and other authentication-related data. To gain access to the
metadata.MD
object, a server may use
metadata.FromIncomingContext.
With a reference to metadata.MD
on the server, one needs to simply lookup the
authorization
key. Note, all keys stored within metadata.MD
are normalized
to lowercase. See here.
It is possible to configure token validation for all RPCs using an interceptor. A server may configure either a grpc.UnaryInterceptor or a grpc.StreamInterceptor.
To send an OAuth2 token with each RPC, a client may configure the
grpc.DialOption
grpc.WithPerRPCCredentials.
Alternatively, a client may also use the grpc.CallOption
grpc.PerRPCCredentials
on each invocation of an RPC.
To create a credentials.PerRPCCredentials
, use
oauth.TokenSource.
Note, the OAuth2 implementation of grpc.PerRPCCredentials
requires a client to use
grpc.WithTransportCredentials
to prevent any insecure transmission of tokens.
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(oauth.NewComputeEngine()))
jwtCreds, err := oauth.NewServiceAccountFromFile(*serviceAccountKeyFile, *oauthScope)
if err != nil {
log.Fatalf("Failed to create JWT credentials: %v", err)
}
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(jwtCreds))