gitee.com/ks-custle/core-gm@v0.0.0-20230922171213-b83bdd97b62c/grpc/Documentation/grpc-auth-support.md

gitee.com/ks-custle/core-gm@v0.0.0-20230922171213-b83bdd97b62c/grpc/Documentation/grpc-auth-support.md (about)

     1  # Authentication
     2  
     3  As outlined in the [gRPC authentication guide](https://grpc.io/docs/guides/auth.html) there are a number of different mechanisms for asserting identity between an client and server. We'll present some code-samples here demonstrating how to provide TLS support encryption and identity assertions as well as passing OAuth2 tokens to services that support it.
     4  
     5  # Enabling TLS on a gRPC client
     6  
     7  ```Go
     8  conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")))
     9  ```
    10  
    11  # Enabling TLS on a gRPC server
    12  
    13  ```Go
    14  creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)
    15  if err != nil {
    16    log.Fatalf("Failed to generate credentials %v", err)
    17  }
    18  lis, err := net.Listen("tcp", ":0")
    19  server := grpc.NewServer(grpc.Creds(creds))
    20  ...
    21  server.Serve(lis)
    22  ```
    23  
    24  # OAuth2
    25  
    26  For an example of how to configure client and server to use OAuth2 tokens, see
    27  [here](https://github.com/grpc/grpc-go/tree/master/examples/features/authentication).
    28  
    29  ## Validating a token on the server
    30  
    31  Clients may use
    32  [metadata.MD](https://godoc.org/google.golang.org/grpc/metadata#MD)
    33  to store tokens and other authentication-related data. To gain access to the
    34  `metadata.MD` object, a server may use
    35  [metadata.FromIncomingContext](https://godoc.org/google.golang.org/grpc/metadata#FromIncomingContext).
    36  With a reference to `metadata.MD` on the server, one needs to simply lookup the
    37  `authorization` key. Note, all keys stored within `metadata.MD` are normalized
    38  to lowercase. See [here](https://godoc.org/google.golang.org/grpc/metadata#New).
    39  
    40  It is possible to configure token validation for all RPCs using an interceptor.
    41  A server may configure either a
    42  [grpc.UnaryInterceptor](https://godoc.org/google.golang.org/grpc#UnaryInterceptor)
    43  or a
    44  [grpc.StreamInterceptor](https://godoc.org/google.golang.org/grpc#StreamInterceptor).
    45  
    46  ## Adding a token to all outgoing client RPCs
    47  
    48  To send an OAuth2 token with each RPC, a client may configure the
    49  `grpc.DialOption`
    50  [grpc.WithPerRPCCredentials](https://godoc.org/google.golang.org/grpc#WithPerRPCCredentials).
    51  Alternatively, a client may also use the `grpc.CallOption`
    52  [grpc.PerRPCCredentials](https://godoc.org/google.golang.org/grpc#PerRPCCredentials)
    53  on each invocation of an RPC.
    54  
    55  To create a `credentials.PerRPCCredentials`, use
    56  [oauth.NewOauthAccess](https://godoc.org/google.golang.org/grpc/credentials/oauth#NewOauthAccess).
    57  Note, the OAuth2 implementation of `grpc.PerRPCCredentials` requires a client to use
    58  [grpc.WithTransportCredentials](https://godoc.org/google.golang.org/grpc#WithTransportCredentials)
    59  to prevent any insecure transmission of tokens.
    60  
    61  # Authenticating with Google
    62  
    63  ## Google Compute Engine (GCE)
    64  
    65  ```Go
    66  conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(oauth.NewComputeEngine()))
    67  ```
    68  
    69  ## JWT
    70  
    71  ```Go
    72  jwtCreds, err := oauth.NewServiceAccountFromFile(*serviceAccountKeyFile, *oauthScope)
    73  if err != nil {
    74    log.Fatalf("Failed to create JWT credentials: %v", err)
    75  }
    76  conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(jwtCreds))
    77  ```
    78