I'm using implementation("net.devh:grpc-spring-boot-starter:3.1.0.RELEASE") library to do Grpc work in my java application.
I followed the documentation to implement Authentication, implementing GrpcAuthenticationReader and AuthenticationProvider
@Bean
public JwtGrpcAuthenticationReader jwtAuthenticationReader() {
log.info("Initializing jwtAuthenticationReader...");
return new JwtGrpcAuthenticationReader();
}
@Bean
public JwtGrpcAuthenticationProvider jwtAuthenticationProvider() {
log.info("Initializing jwtAuthenticationProvider...");
return new JwtGrpcAuthenticationProvider(secretManagerService);
}
@Bean
AuthenticationManager authenticationManager() {
final List<AuthenticationProvider> providers = new ArrayList<>();
providers.add(jwtAuthenticationProvider());
return new ProviderManager(providers);
}
@Bean
GrpcAuthenticationReader authenticationReader() {
final List<GrpcAuthenticationReader> readers = new ArrayList<>();
readers.add(jwtAuthenticationReader());
return new CompositeGrpcAuthenticationReader(readers);
}
Now the problem is that every request is under authentication. How can I leave one out to get a token to then call other services?
I sow that I can implement also
public class JwtAuthInterceptor implements ServerInterceptor {
private static final Metadata.Key<String> AUTHORIZATION_KEY =
Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER);
@Override
public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
String token = headers.get(AUTHORIZATION_KEY);
if (token == null || !token.startsWith("Bearer ")) {
call.close(Status.UNAUTHENTICATED.withDescription("Missing or invalid token"), new Metadata());
return new ServerCall.Listener<>() {};
}
try {
String jwt = token.substring(7);
JwtUtil.validateToken(jwt); // Validate token
return next.startCall(call, headers);
} catch (JWTVerificationException e) {
call.close(Status.UNAUTHENTICATED.withDescription("Invalid token"), new Metadata());
return new ServerCall.Listener<>() {};
}
}
}
So maybe there I can skip some service/method.
Does anyone knows how to proceed? I don't see any method in the Provider or Reader useful
For the moment I exposed a rest service to get the token is this good?
I'm using implementation("net.devh:grpc-spring-boot-starter:3.1.0.RELEASE") library to do Grpc work in my java application.
I followed the documentation to implement Authentication, implementing GrpcAuthenticationReader and AuthenticationProvider
@Bean
public JwtGrpcAuthenticationReader jwtAuthenticationReader() {
log.info("Initializing jwtAuthenticationReader...");
return new JwtGrpcAuthenticationReader();
}
@Bean
public JwtGrpcAuthenticationProvider jwtAuthenticationProvider() {
log.info("Initializing jwtAuthenticationProvider...");
return new JwtGrpcAuthenticationProvider(secretManagerService);
}
@Bean
AuthenticationManager authenticationManager() {
final List<AuthenticationProvider> providers = new ArrayList<>();
providers.add(jwtAuthenticationProvider());
return new ProviderManager(providers);
}
@Bean
GrpcAuthenticationReader authenticationReader() {
final List<GrpcAuthenticationReader> readers = new ArrayList<>();
readers.add(jwtAuthenticationReader());
return new CompositeGrpcAuthenticationReader(readers);
}
Now the problem is that every request is under authentication. How can I leave one out to get a token to then call other services?
I sow that I can implement also
public class JwtAuthInterceptor implements ServerInterceptor {
private static final Metadata.Key<String> AUTHORIZATION_KEY =
Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER);
@Override
public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
String token = headers.get(AUTHORIZATION_KEY);
if (token == null || !token.startsWith("Bearer ")) {
call.close(Status.UNAUTHENTICATED.withDescription("Missing or invalid token"), new Metadata());
return new ServerCall.Listener<>() {};
}
try {
String jwt = token.substring(7);
JwtUtil.validateToken(jwt); // Validate token
return next.startCall(call, headers);
} catch (JWTVerificationException e) {
call.close(Status.UNAUTHENTICATED.withDescription("Invalid token"), new Metadata());
return new ServerCall.Listener<>() {};
}
}
}
So maybe there I can skip some service/method.
Does anyone knows how to proceed? I don't see any method in the Provider or Reader useful
For the moment I exposed a rest service to get the token is this good?
Share Improve this question edited 2 days ago Pp88 asked 2 days ago Pp88Pp88 1,0841 gold badge9 silver badges27 bronze badges1 Answer
Reset to default 0The solution was under my nose. In the doc it's stated that if the Reader returns null the auth is skipped.
And in the ServerCall<?, ?> call you can get the full/bareMethodName
public class JwtGrpcAuthenticationReader implements GrpcAuthenticationReader {
private static final Metadata.Key<String> AUTHORIZATION_KEY =
Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER);
@Override
public @Nullable Authentication readAuthentication(ServerCall<?, ?> call, Metadata headers) throws AuthenticationException {
if (call.getMethodDescriptor().getFullMethodName().equals("com.exmple.pi.protobufpliancerules.services.ProductComplianceRuleService/DeleteComplianceRule")) {
return null;
}
var token = headers.get(AUTHORIZATION_KEY);
if (token == null || !token.startsWith("Bearer ")) {
throw new AuthenticationCredentialsNotFoundException("Missing token");
}
var jwtAuth = new JwtAuthentication(null);
jwtAuth.setToken(token.substring(7));
return jwtAuth;
}
}