how to use logto for grpc apis?

[Gictorbit]

how can I use logto to secure my grpc apis in go?
I saw the implementation apis using golang and gin framework but I like to have an example of using logto with grpc and golang

[simeng-li]

@xiaoyijun do you mind taking a look at it?

[Gictorbit]

you might also check grpc-gateway
https://github.com/grpc-ecosystem/grpc-gateway

[xiaoyijun]

Hi @Gictorbit ,
In web app frameworks, the user access token is passed by the HTTP request headers (Always Authorization header with Bearer <access_token> as its content).
In gRPC, you can retrieve the related header from the gRPC metadata (It's a supported feature, you can map HTTP headers to gRPC metadata, see Supported features).

[Gictorbit]

Hi @xiaoyijun xiaoyijun
Thank you for your response! I'm curious about Google OAuth. Does it utilize cookies or header tokens for authentication?
Could you please provide a code example using gRPC?

[xiaoyijun]

@Gictorbit
Using OAuth only helps you obtain a token; how you use the obtained token depends on you (it can be in the cookie or the auth header).
If you want to protect your gRPC API, simply validate the token you obtained when the API receives a request (refer to https://docs.logto.io/docs/recipes/protect-your-api/).

This is a code example from ChatGPT (Note the 'Todo' comments):

1. Client Code:

package main

import (
	"context"
	"log"

	"google.golang.org/grpc"
	"google.golang.org/grpc/metadata"

	pb "path/to/your/proto/package"
)

func main() {
	conn, err := grpc.Dial("localhost:50051", grpc.WithInsecure())
	if err != nil {
		log.Fatalf("Failed to dial: %v", err)
	}
	defer conn.Close()

	client := pb.NewMyServiceClient(conn)

        // Todo: Get this token from OAuth service (Logto or Google OAuth)
	token := "your_token_here"
	ctx := metadata.AppendToOutgoingContext(context.Background(), "authorization", "Bearer "+token)

	response, err := client.MyRPCMethod(ctx, &pb.MyRequest{Message: "Hello!"})
	if err != nil {
		log.Fatalf("Failed to call MyRPCMethod: %v", err)
	}

	log.Printf("Response received: %s", response.Message)
}

2. Server Code:

package main

import (
	"context"
	"log"
	"net"

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"

	pb "path/to/your/proto/package"
)

type server struct{}

func (s *server) MyRPCMethod(ctx context.Context, req *pb.MyRequest) (*pb.MyResponse, error) {
	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return nil, status.Errorf(codes.Unauthenticated, "missing metadata")
	}
	tokens := md.Get("authorization")
        // Todo: validate tokens before processing

	if len(tokens) == 0 {
		return nil, status.Errorf(codes.Unauthenticated, "missing token")
	}
	token := tokens[0]

	if token != "your_expected_token" {
		return nil, status.Errorf(codes.PermissionDenied, "invalid token")
	}

	return &pb.MyResponse{Message: "Hello back!"}, nil
}

func main() {
	lis, err := net.Listen("tcp", ":50051")
	if err != nil {
		log.Fatalf("Failed to listen: %v", err)
	}
	s := grpc.NewServer()
	pb.RegisterMyServiceServer(s, &server{})
	if err := s.Serve(lis); err != nil {
		log.Fatalf("Failed to serve: %v", err)
	}
}

Hope this helps!

[github-actions]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[xiaoyijun]

Closed for this issue has been open for 30 days with no activity.

[Gictorbit]

Hello again,

Thank you for your explanations. I have read the documentation on protected applications, but I am still wondering how to implement the signin and register methods. Additionally, I need guidance on implementing interceptors to validate JWT tokens in Golang. I checked the website, but it only provides examples for traditional web applications, not protected ones.