mirror of https://github.com/grpc/grpc.git
An overview auth document using c++ code exampoles. The code will be translated to other languages in subsequet pull requests.pull/3109/head
Abhishek Kumar
10 years ago
parent
afef83dcff
commit
18e24c8cca
1 changed files with 88 additions and 0 deletions
@ -0,0 +1,88 @@ |
||||
#gRPC Authentication support |
||||
|
||||
gRPC is designed to plug-in a number of authentication mechanisms. We provide an overview |
||||
of the various auth mechanisms supported, discuss the API and demonstrate usage through |
||||
code examples, and conclude with a discussion of extensibility. |
||||
|
||||
###SSL/TLS |
||||
gRPC has SSL/TLS integration and promotes the use of SSL/TLS to authenticate the server, |
||||
and encrypt all the data exchanged between the client and the server. Optional |
||||
mechanisms are available for clients to provide certificates to accomplish mutual |
||||
authentication. |
||||
|
||||
###OAuth 2.0 |
||||
gRPC provides a generic mechanism (described below) to attach metadata to requests |
||||
and responses. This mechanism can be used to attach OAuth 2.0 Access Tokens to |
||||
RPCs being made at a client. Additional support for acquiring Access Tokens while |
||||
accessing Google APIs through gRPC is provided for certain auth flows, demonstrated |
||||
through code examples below. |
||||
|
||||
###API |
||||
To reduce complexity and minimize API clutter, gRPC works with a unified concept of |
||||
a Credentials object. Users construct gRPC credentials using corresponding bootstrap |
||||
credentials (e.g., SSL client certs or Service Account Keys), and use the |
||||
credentials while creating a gRPC channel to any server. Depending on the type of |
||||
credential supplied, the channel uses the credentials during the initial SSL/TLS |
||||
handshake with the server, or uses the credential to generate and attach Access |
||||
Tokens to each request being made on the channel. |
||||
|
||||
###Code Examples |
||||
|
||||
####SSL/TLS for server authentication and encryption |
||||
This is the simplest authentication scenario, where a client just wants to |
||||
authenticate the server and encrypt all data. |
||||
|
||||
``` |
||||
SslCredentialsOptions ssl_opts; // Options to override SSL params, empty by default |
||||
// Create the credentials object by providing service account key in constructor |
||||
std::unique_ptr<Credentials> creds = CredentialsFactory::SslCredentials(ssl_opts); |
||||
// Create a channel using the credentials created in the previous step |
||||
std::shared_ptr<ChannelInterface> channel = CreateChannel(server_name, creds, channel_args); |
||||
// Create a stub on the channel |
||||
std::unique_ptr<Greeter::Stub> stub(Greeter::NewStub(channel)); |
||||
// Make actual RPC calls on the stub. |
||||
grpc::Status s = stub->sayHello(&context, *request, response); |
||||
``` |
||||
|
||||
For advanced use cases such as modifying the root CA or using client certs, |
||||
the corresponding options can be set in the SslCredentialsOptions parameter |
||||
passed to the factory method. |
||||
|
||||
|
||||
###Authenticating with Google |
||||
|
||||
gRPC applications can use a simple API to create a credential that works in various deployment scenarios. |
||||
|
||||
``` |
||||
std::unique_ptr<Credentials> creds = CredentialsFactory::DefaultGoogleCredentials(); |
||||
// Create a channel, stub and make RPC calls (same as in the previous example) |
||||
std::shared_ptr<ChannelInterface> channel = CreateChannel(server_name, creds, channel_args); |
||||
std::unique_ptr<Greeter::Stub> stub(Greeter::NewStub(channel)); |
||||
grpc::Status s = stub->sayHello(&context, *request, response); |
||||
``` |
||||
|
||||
This credential works for applications using Service Accounts as well as for |
||||
applications running in Google Compute Engine (GCE). In the former case, the |
||||
service account’s private keys are expected in file located at [TODO: well |
||||
known file fath for service account keys] or in the file named in the environment |
||||
variable [TODO: add the env var name here]. The keys are used at run-time to |
||||
generate bearer tokens that are attached to each outgoing RPC on the |
||||
corresponding channel. |
||||
|
||||
For applications running in GCE, a default service account and corresponding |
||||
OAuth scopes can be configured during VM setup. At run-time, this credential |
||||
handles communication with the authentication systems to obtain OAuth2 access |
||||
tokens and attaches them to each outgoing RPC on the corresponding channel. |
||||
Extending gRPC to support other authentication mechanisms |
||||
The gRPC protocol is designed with a general mechanism for sending metadata |
||||
associated with RPC. Clients can send metadata at the beginning of an RPC and |
||||
servers can send back metadata at the beginning and end of the RPC. This |
||||
provides a natural mechanism to support OAuth2 and other authentication |
||||
mechanisms that need attach bearer tokens to individual request. |
||||
|
||||
In the simplest case, there is a single line of code required on the client |
||||
to add a specific token as metadata to an RPC and a corresponding access on |
||||
the server to retrieve this piece of metadata. The generation of the token |
||||
on the client side and its verification at the server can be done separately. |
||||
|
||||
A deeper integration can be achieved by plugging in a gRPC credentials implementation for any custom authentication mechanism that needs to attach per-request tokens. gRPC internals also allow switching out SSL/TLS with other encryption mechanisms. |
||||
Loading…
Reference in new issue