grpc/core/md_doc_server_side_auth.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.17"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>GRPC Core: Server-side API for Authenticating Clients</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
 <tbody>
 <tr style="height: 56px;">
  <td id="projectalign" style="padding-left: 0.5em;">
   <div id="projectname">GRPC Core
   &#160;<span id="projectnumber">15.0.0</span>
   </div>
  </td>
 </tr>
 </tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.17 -->
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
var searchBox = new SearchBox("searchBox", "search",false,'Search');
/* @license-end */
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
$(function() {
  initMenu('',true,false,'search.php','Search');
  $(document).ready(function() { init_search(); });
});
/* @license-end */</script>
<div id="main-nav"></div>
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
     onmouseover="return searchBox.OnSearchSelectShow()"
     onmouseout="return searchBox.OnSearchSelectHide()"
     onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>

<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0" 
        name="MSearchResults" id="MSearchResults">
</iframe>
</div>

</div><!-- top -->
<div class="PageDoc"><div class="header">
  <div class="headertitle">
<div class="title">Server-side API for Authenticating Clients </div>  </div>
</div><!--header-->
<div class="contents">
<div class="textblock"><p>NOTE: This document describes how server-side authentication works in C-core based gRPC implementations only. In gRPC Java and Go, server side authentication is handled differently. NOTE2: <code>CallCredentials</code> class is only valid for secure channels in C-Core. So, for connections under insecure channels, features below might not be available.</p>
<h1><a class="anchor" id="autotoc_md267"></a>
AuthContext</h1>
<p>To perform server-side authentication, gRPC exposes the <em>authentication context</em> for each call. The context exposes important authentication-related information about the RPC such as the type of security/authentication type being used and the peer identity.</p>
<p>The authentication context is structured as a multi-map of key-value pairs - the <em>auth properties</em>. In addition to that, for authenticated RPCs, the set of properties corresponding to a selected key will represent the verified identity of the caller - the <em>peer identity</em>.</p>
<p>The contents of the <em>auth properties</em> are populated by an <em>auth interceptor</em>. The interceptor also chooses which property key will act as the peer identity (e.g. for client certificate authentication this property will be <code>"x509_common_name"</code> or <code>"x509_subject_alternative_name"</code>).</p>
<p>WARNING: AuthContext is the only reliable source of truth when it comes to authenticating RPCs. Using any other call/context properties for authentication purposes is wrong and inherently unsafe.</p>
<h3><a class="anchor" id="autotoc_md268"></a>
Example AuthContext contents</h3>
<p>For secure channel using mutual TLS authentication with both client and server certificates (test certificates from this repository are used).</p>
<p>Populated auth properties: </p><div class="fragment"><div class="line">&quot;transport_security_type&quot;: &quot;ssl&quot;  # connection is secured using TLS/SSL</div>
<div class="line">&quot;x509_common_name&quot;: &quot;*.test.google.com&quot;  # from client&#39;s certificate</div>
<div class="line">&quot;x509_pem_cert&quot;: &quot;-----BEGIN CERTIFICATE-----\n...&quot;  # client&#39;s PEM encoded certificate</div>
<div class="line">&quot;x509_subject_alternative_name&quot;: &quot;*.test.google.fr&quot;</div>
<div class="line">&quot;x509_subject_alternative_name&quot;: &quot;waterzooi.test.google.be&quot;</div>
<div class="line">&quot;x509_subject_alternative_name&quot;: &quot;*.test.youtube.com&quot;</div>
<div class="line">&quot;x509_subject_alternative_name&quot;: &quot;192.168.1.3&quot;</div>
</div><!-- fragment --><p>The peer identity is set of all properties named <code>"x509_subject_alternative_name"</code>: </p><div class="fragment"><div class="line">peer_identity_property_name = &quot;x509_subject_alternative_name&quot;</div>
</div><!-- fragment --><h1><a class="anchor" id="autotoc_md269"></a>
AuthProperty</h1>
<p>Auth properties are elements of the AuthContext. They have a name (a key of type string) and a value which can be a string or binary data.</p>
<h1><a class="anchor" id="autotoc_md270"></a>
Auth Interceptors</h1>
<p>Auth interceptors are gRPC components that populate contents of the auth context based on gRPC's internal state and/or call metadata. gRPC comes with some basic "interceptors" already built-in.</p>
<p>WARNING: While there is a public API that allows anyone to write their own custom interceptor, please think twice before using it. There are legitimate uses for custom interceptors but you should keep in mind that as auth interceptors essentially decide which RPCs are authenticated and which are not, their code is very sensitive from the security perspective and getting things wrong might have serious consequences. If unsure, we strongly recommend to rely on official &amp; proven interceptors that come with gRPC.</p>
<h3><a class="anchor" id="autotoc_md271"></a>
Available auth interceptors</h3>
<ul>
<li>TLS/SSL certificate authentication (built into gRPC's security layer, automatically used whenever you use a secure connection)</li>
<li>(coming soon) JWT auth token authentication</li>
<li>more will be added over time</li>
</ul>
<h1><a class="anchor" id="autotoc_md272"></a>
Status (by language)</h1>
<p>C-core exposes low level API to access auth context contents and to implement an auth interceptor. In C++, the auth interceptor API is exposed as <code>AuthMetadataProcessor</code>.</p>
<p>A high level API to access AuthContext contents is available in these languages:</p><ul>
<li>C++</li>
<li>C# (implementation in-progress)</li>
<li>other languages coming soon </li>
</ul>
</div></div><!-- contents -->
</div><!-- PageDoc -->
<!-- start footer part -->
<hr class="footer"/><address class="footer"><small>
Generated on Wed Mar 3 2021 19:17:11 for GRPC Core by &#160;<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/>
</a> 1.8.17
</small></address>
</body>
</html>