| # Authentication |
| |
| As outlined in the [gRPC authentication guide](https://grpc.io/docs/guides/auth.html) there are a number of different mechanisms for asserting identity between an client and server. We'll present some code-samples here demonstrating how to provide TLS support encryption and identity assertions as well as passing OAuth2 tokens to services that support it. |
| |
| # Enabling TLS on a gRPC client |
| |
| ```Go |
| conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, ""))) |
| ``` |
| |
| # Enabling TLS on a gRPC server |
| |
| ```Go |
| creds, err := credentials.NewServerTLSFromFile(certFile, keyFile) |
| if err != nil { |
| log.Fatalf("Failed to generate credentials %v", err) |
| } |
| lis, err := net.Listen("tcp", ":0") |
| server := grpc.NewServer(grpc.Creds(creds)) |
| ... |
| server.Serve(lis) |
| ``` |
| |
| # OAuth2 |
| |
| For an example of how to configure client and server to use OAuth2 tokens, see |
| [here](https://github.com/grpc/grpc-go/tree/master/examples/features/authentication). |
| |
| ## Validating a token on the server |
| |
| Clients may use |
| [metadata.MD](https://godoc.org/google.golang.org/grpc/metadata#MD) |
| to store tokens and other authentication-related data. To gain access to the |
| `metadata.MD` object, a server may use |
| [metadata.FromIncomingContext](https://godoc.org/google.golang.org/grpc/metadata#FromIncomingContext). |
| With a reference to `metadata.MD` on the server, one needs to simply lookup the |
| `authorization` key. Note, all keys stored within `metadata.MD` are normalized |
| to lowercase. See [here](https://godoc.org/google.golang.org/grpc/metadata#New). |
| |
| It is possible to configure token validation for all RPCs using an interceptor. |
| A server may configure either a |
| [grpc.UnaryInterceptor](https://godoc.org/google.golang.org/grpc#UnaryInterceptor) |
| or a |
| [grpc.StreamInterceptor](https://godoc.org/google.golang.org/grpc#StreamInterceptor). |
| |
| ## Adding a token to all outgoing client RPCs |
| |
| To send an OAuth2 token with each RPC, a client may configure the |
| `grpc.DialOption` |
| [grpc.WithPerRPCCredentials](https://godoc.org/google.golang.org/grpc#WithPerRPCCredentials). |
| Alternatively, a client may also use the `grpc.CallOption` |
| [grpc.PerRPCCredentials](https://godoc.org/google.golang.org/grpc#PerRPCCredentials) |
| on each invocation of an RPC. |
| |
| To create a `credentials.PerRPCCredentials`, use |
| [oauth.NewOauthAccess](https://godoc.org/google.golang.org/grpc/credentials/oauth#NewOauthAccess). |
| Note, the OAuth2 implementation of `grpc.PerRPCCredentials` requires a client to use |
| [grpc.WithTransportCredentials](https://godoc.org/google.golang.org/grpc#WithTransportCredentials) |
| to prevent any insecure transmission of tokens. |
| |
| # Authenticating with Google |
| |
| ## Google Compute Engine (GCE) |
| |
| ```Go |
| conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(oauth.NewComputeEngine())) |
| ``` |
| |
| ## JWT |
| |
| ```Go |
| jwtCreds, err := oauth.NewServiceAccountFromFile(*serviceAccountKeyFile, *oauthScope) |
| if err != nil { |
| log.Fatalf("Failed to create JWT credentials: %v", err) |
| } |
| conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(jwtCreds)) |
| ``` |
| |