2017-06-05 14:59:43 +00:00
# Authentication
2018-05-24 11:48:14 +00:00
As outlined in the [gRPC authentication guide ](https://grpc.io/docs/guides/auth.html ) there are a number of different mechanisms for asserting identity between an client and server. We'll present some code-samples here demonstrating how to provide TLS support encryption and identity assertions as well as passing OAuth2 tokens to services that support it.
2017-06-05 14:59:43 +00:00
# Enabling TLS on a gRPC client
```Go
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")))
```
# Enabling TLS on a gRPC server
```Go
creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)
if err != nil {
log.Fatalf("Failed to generate credentials %v", err)
}
lis, err := net.Listen("tcp", ":0")
server := grpc.NewServer(grpc.Creds(creds))
...
server.Serve(lis)
```
2018-05-24 11:48:14 +00:00
# OAuth2
For an example of how to configure client and server to use OAuth2 tokens, see
[here ](https://github.com/grpc/grpc-go/blob/master/examples/oauth/ ).
## Validating a token on the server
Clients may use
[metadata.MD ](https://godoc.org/google.golang.org/grpc/metadata#MD )
to store tokens and other authentication-related data. To gain access to the
`metadata.MD` object, a server may use
[metadata.FromIncomingContext ](https://godoc.org/google.golang.org/grpc/metadata#FromIncomingContext ).
With a reference to `metadata.MD` on the server, one needs to simply lookup the
`authorization` key. Note, all keys stored within `metadata.MD` are normalized
to lowercase. See [here ](https://godoc.org/google.golang.org/grpc/metadata#New ).
It is possible to configure token validation for all RPCs using an interceptor.
A server may configure either a
[grpc.UnaryInterceptor ](https://godoc.org/google.golang.org/grpc#UnaryInterceptor )
or a
[grpc.StreamInterceptor ](https://godoc.org/google.golang.org/grpc#StreamInterceptor ).
## Adding a token to all outgoing client RPCs
To send an OAuth2 token with each RPC, a client may configure the
`grpc.DialOption`
[grpc.WithPerRPCCredentials ](https://godoc.org/google.golang.org/grpc#WithPerRPCCredentials ).
Alternatively, a client may also use the `grpc.CallOption`
[grpc.PerRPCCredentials ](https://godoc.org/google.golang.org/grpc#PerRPCCredentials )
on each invocation of an RPC.
To create a `credentials.PerRPCCredentials` , use
[oauth.NewOauthAccess ](https://godoc.org/google.golang.org/grpc/credentials/oauth#NewOauthAccess ).
Note, the OAuth2 implementation of `grpc.PerRPCCredentials` requires a client to use
[grpc.WithTransportCredentials ](https://godoc.org/google.golang.org/grpc#WithTransportCredentials )
to prevent any insecure transmission of tokens.
2017-06-05 14:59:43 +00:00
# Authenticating with Google
## Google Compute Engine (GCE)
```Go
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(oauth.NewComputeEngine()))
```
## JWT
```Go
jwtCreds, err := oauth.NewServiceAccountFromFile(*serviceAccountKeyFile, *oauthScope)
if err != nil {
log.Fatalf("Failed to create JWT credentials: %v", err)
}
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(jwtCreds))
```