Comments (28)
Sorry @graemerocher, totally lost track of this. I can get something going this weekend.
from micronaut-grpc.
@jameskleeh @sdelamo can you provide some suggestions with regards to integrating security with gRPC here?
from micronaut-grpc.
#322 has been opened to support JWT server-side security
from micronaut-grpc.
I believe that a pretty crucial part is missing here for this to be on par with the "HTTP security" module: token propagation. Ideally, it should be possible to configure HTTP β gRPC, gRPC β HTTP and gRPC β gRPC token propagation.
from micronaut-grpc.
@brunorafaeli, still waiting on feedback on some design direction from Micronaut team.
from micronaut-grpc.
@FrogDevelopper I'll be looking at this later this week
from micronaut-grpc.
Worth adding as a new module micronaut-security-jwt
with a grpc
flavor?
from micronaut-grpc.
Sounds like a good idea, want to do a PR?
from micronaut-grpc.
Sure, I can take a stab at it. Is it better suited to live in this project or within https://github.com/micronaut-projects/micronaut-security ?
from micronaut-grpc.
this project is fine
from micronaut-grpc.
@brianwyka did you still want to submit a PR?
from micronaut-grpc.
@graemerocher, I was planning on reusing some of the JWT security configuration and beans from micronaut-security-jwt
but there seems to be some ties to HttpRequest
in there, and the only methods I can call without the request are @deprecated
.
Should I copy code into this new module or call the deprecated code?
Here is what my "basic" first take of an implementation looks like:
Configuration class:
@ConfigurationProperties(GrpcServerSecurityJwtConfiguration.PREFIX)
@Requires(property = GrpcServerSecurityJwtConfiguration.PREFIX + ".enabled", value = "true", defaultValue = "false")
public interface GrpcServerSecurityJwtConfiguration {
String PREFIX = GrpcServerConfiguration.PREFIX + ".security.jwt";
/**
* Whether or not JWT server interceptor is enabled
*
* @return true if enabled, false otherwise
*/
boolean isEnabled();
/**
* The order to be applied to the server interceptor in the interceptor chain
*
* @return the order
*/
int getOrder();
/**
* The name of the metadata key which holds the JWT
*
* @return the metadata key name
*/
String getMetadataKeyName();
}
Server Interceptor:
@Singleton
@Requires(beans = GrpcServerSecurityJwtConfiguration.class)
public class GrpcServerSecurityJwtInterceptor implements ServerInterceptor, Ordered {
private static final Logger LOG = LoggerFactory.getLogger(GrpcServerSecurityJwtInterceptor.class);
private final int order;
private final Metadata.Key<String> jwtMetadataKey;
private final JwtValidator jwtValidator;
/**
* Create the interceptor based on the configuration.
*
* @param config the gRPC Security JWT configuration
* @param jwtValidator the JWT validator
*/
@Inject
public GrpcServerSecurityJwtInterceptor(final GrpcServerSecurityJwtConfiguration config, final JwtValidator jwtValidator) {
this.order = config.getOrder();
this.jwtMetadataKey = Metadata.Key.of(config.getMetadataKeyName(), Metadata.ASCII_STRING_MARSHALLER);
this.jwtValidator = jwtValidator;
}
/**
* Intercept the call to validate the JSON web token. If the token is not present in the metadata, or
* if the token is not valid, this method will deny the request with a {@link StatusRuntimeException}
*
* @param call the server call
* @param metadata the metadata
* @param next the next processor in the interceptor chain
* @param <T> the type of the server request
* @param <S> the type of the server response
* @throws StatusRuntimeException if token not present or invalid
*/
@Override
public <T, S> ServerCall.Listener<T> interceptCall(final ServerCall<T, S> call, final Metadata metadata, final ServerCallHandler<T, S> next) {
if (!metadata.containsKey(jwtMetadataKey)) {
if (LOG.isErrorEnabled()) {
LOG.error("{} key missing in gRPC metadata", jwtMetadataKey.name());
}
throw new StatusRuntimeException(Status.UNAUTHENTICATED);
}
final ServerCall.Listener<T> listener = next.startCall(call, metadata);
final Optional<JWT> jwtOptional = jwtValidator.validate(metadata.get(jwtMetadataKey));
if (!jwtOptional.isPresent()) {
throw Status.PERMISSION_DENIED.withDescription("JWT validation failed").asRuntimeException();
}
if (LOG.isDebugEnabled()) {
LOG.debug("JWT: {}", jwtOptional.get().serialize());
}
return new ForwardingServerCallListener.SimpleForwardingServerCallListener<T>(listener) { };
}
/**
* Get the order for this interceptor within the interceptor chain
*
* @return the order
*/
@Override
public int getOrder() {
return order;
}
}
from micronaut-grpc.
@jameskleeh, @sdelamo, any feedback?
from micronaut-grpc.
@brianwyka As you have discovered many of the APIs in security are tied to the notion of an HttpRequest. If the same sort of practices for normal http services also apply to GRPC then perhaps I would consider creating a GrpcRequest
object that implements HttpRequest to pass around. I would not rely on the deprecated APIs as they will be removed in a future release.
from micronaut-grpc.
any news? we are in need of this functionality.
from micronaut-grpc.
Thanks for the feedback @jameskleeh, I'll see if I can make that work, otherwise will resort to some duplication if necessary.
from micronaut-grpc.
@jameskleeh, based on some brief analysis, doesn't look like a GrpcRequest
implementation of HttpRequest
will be a viable or straight-forward option.
I noticed that HttpRequest
is @Nullable
at the moment. Is that temporary until the deprecation is removed?
https://github.com/micronaut-projects/micronaut-security/blob/master/security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/JwtValidator.java#L81
Or can I leverage calling that with a null
request here...?
I'm thinking that perhaps an enhancement can be made to micronaut-security
to add more of a limited scope object to the validate
method of the JwtValidator
. What is planned to be used off of the HttpRequest
in the future? Currently I see the trace of HttpRequest
die here in the JwtClaimsValidator
:
https://github.com/micronaut-projects/micronaut-security/blob/master/security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/JwtClaimsValidator.java#L42
If we want to make it more useful for other security purposes outside of HttpRequest
realm, it would be beneficial to make this enhancement.
from micronaut-grpc.
I noticed that HttpRequest is @nullable at the moment. Is that temporary until the deprecation is removed?
That isn't temporary. We want to allow for validation of JWTs outside of a request. You can pass null there. Some of the cases where the request is available are because users requested access to it, not because the framework itself needed the data
from micronaut-grpc.
Thanks @jameskleeh, that will work for this use case.
from micronaut-grpc.
@pfyod that would be useful
from micronaut-grpc.
I agree it would be nice. Probably better to do in a follow up feature. @pfyod are you interested in working on it once #322 is complete?
from micronaut-grpc.
Do we have news about this feature? π
from micronaut-grpc.
Any update on it would be great
from micronaut-grpc.
Hello,
happy new year for all the team π πΎ
Hoping you'll get time for this feature soonπ€π»
from micronaut-grpc.
@burtbeckwith
Still no time to work on it ?
from micronaut-grpc.
@burtbeckwith any update?
from micronaut-grpc.
Any update on the issue?
from micronaut-grpc.
Still no update on this issue ?
from micronaut-grpc.
Related Issues (20)
- Add BOM
- Project should be buildable on M1 macs HOT 1
- GRPC embedded server fails with `@MicronautTest(rebuildContext=true)` HOT 1
- breaking change not exposing micronaut-runtime
- Dependency Dashboard
- Memory Leak in ByteBufToProtoMessageConverter.java:57 HOT 1
- Support `ServerInterceptors` HOT 3
- GRPC Graal tests failed after upgrading to Netty 4.1.84
- Feature Request: avro-support (I can code it - just need a gradle project to get me going) HOT 3
- Template is outdated
- Migrate to new configuration ascidoc macro
- grpc now supports the following client lib automated retry & resiliency features HOT 3
- Cucumber Micronaut test: Embedded gRPC server not starting
- gRPC Documentation generation fails
- Retry on Client Side HOT 1
- Add com.google.protobuf:protobuf-kotlin to Micronaut BOM
- Micronaut 4.2.0 breaks grpc services HOT 10
- round_robin for gRPC client does not work with Kubernetes service discovery
- Del @Deprecated gRPC HOT 1
- `ClassNotFoundException` when not using discovery HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from micronaut-grpc.