permit some services from custom authentication [need help]

[MetaiR]

I need help with custom authentication

I know we can use metadata and inspectors to support custom authorizations like basic authentication but how we can exclude some services from being authenticated in inspectors.

is there something like @PermitAll in JAX-RS (jersey framework implementation) which we can use and check the destination endpoint has this annotation or not in provider?

[dapengzhang0]

You can implement

CallCredentials#applyRequestMetadata(
    MethodDescriptor<?, ?> method, Attributes attrs, Executor appExecutor, MetadataApplier applier)

to differentiate the URI of services by MethodDescriptor, and use AbstractStub.withCallCredentials(CallCredentials credentials).

See https://grpc.io/grpc-java/javadoc/io/grpc/CallCredentials.html

[dapengzhang0]

For server side, use ServerInterceptor to inspect the request and apply authentication, and use ServerCall.getMethodDescriptor() to differentiate the URI of services.

[MetaiR]

@dapengzhang0 I saw Interceptor and Metadata example already but they were separated from each other, so is there any example about using these two for authorization matters available?

[dapengzhang0]

The metadata example does use interceptor together:
https://github.com/grpc/grpc-java/tree/master/examples/src/main/java/io/grpc/examples/header

The HeaderServerInterceptor.java in the example synthesizes the response headers, whereas your usecase is to inspect the request headers which is easier than the example. For authentication failure, in ServerInterceptor.interceptCall() method you can probably call

call.close(Status.UNAUTHENTICATED.withDescription("..."), new Metadata());
return next.startCall(call);

[MetaiR]

what is the cleanest way to ignore some services for authentication (like a service for registering users)? (could u please give me a small example? a very simple service for user registering and login with serverincepter can be awesome)

[dapengzhang0]

@MetaiR in the grpc library we don't have out of box high level tools like @PermitAll. Here's an example using interceptor (with pseudocod needAuthentication(), authnPassed()):

public class AuthenticationServerInterceptor implements ServerInterceptor {
  @Override
  public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
      ServerCall<ReqT, RespT> call,
      Metadata requestHeaders,
      ServerCallHandler<ReqT, RespT> next) {
    String methodName = call.getMethodDescriptor().getFullMethodName();
    if (needAuthentication(methodName) && !authnPassed(requestHeaders)) {
      call.close(Status.UNAUTHENTICATED.withDescription("..."), new Metadata());
    }
    return next.startCall(call);
  }
}

[MetaiR]

thanks a lot

[dapengzhang0]

An update on the example above: closing the call and then returning next.startCall does not populate Status.UNAUTHENTICATED to the client, because of a runtime exception thrown by next.startCall, so a graceful way is to return a noop listener instead:

if (needAuthentication(methodName) && !authnPassed(requestHeaders)) {
   call.close(Status.UNAUTHENTICATED.withDescription("..."), new Metadata());
   return new ServerCall.Listener() { 
      // noop for all the methods
   };
}
return next.startCall(call, requestHeaders);

[MetaiR]

can return null instead of a ServerCall Listener obj?
@dapengzhang0

[dapengzhang0]

@MetaiR the javadoc says must not return null.