1# Authentication
2
3As outlined in the [gRPC authentication guide](https://grpc.io/docs/guides/auth.html) there are a number of different mechanisms for asserting identity between an client and server. We'll present some code-samples here demonstrating how to provide TLS support encryption and identity assertions as well as passing OAuth2 tokens to services that support it.
4
5# Enabling TLS on a gRPC client
6
7```Go
8conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")))
9```
10
11# Enabling TLS on a gRPC server
12
13```Go
14creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)
15if err != nil {
16 log.Fatalf("Failed to generate credentials %v", err)
17}
18lis, err := net.Listen("tcp", ":0")
19server := grpc.NewServer(grpc.Creds(creds))
20...
21server.Serve(lis)
22```
23
24# OAuth2
25
26For an example of how to configure client and server to use OAuth2 tokens, see
27[here](https://github.com/grpc/grpc-go/tree/master/examples/features/authentication).
28
29## Validating a token on the server
30
31Clients may use
32[metadata.MD](https://godoc.org/google.golang.org/grpc/metadata#MD)
33to store tokens and other authentication-related data. To gain access to the
34`metadata.MD` object, a server may use
35[metadata.FromIncomingContext](https://godoc.org/google.golang.org/grpc/metadata#FromIncomingContext).
36With a reference to `metadata.MD` on the server, one needs to simply lookup the
37`authorization` key. Note, all keys stored within `metadata.MD` are normalized
38to lowercase. See [here](https://godoc.org/google.golang.org/grpc/metadata#New).
39
40It is possible to configure token validation for all RPCs using an interceptor.
41A server may configure either a
42[grpc.UnaryInterceptor](https://godoc.org/google.golang.org/grpc#UnaryInterceptor)
43or a
44[grpc.StreamInterceptor](https://godoc.org/google.golang.org/grpc#StreamInterceptor).
45
46## Adding a token to all outgoing client RPCs
47
48To send an OAuth2 token with each RPC, a client may configure the
49`grpc.DialOption`
50[grpc.WithPerRPCCredentials](https://godoc.org/google.golang.org/grpc#WithPerRPCCredentials).
51Alternatively, a client may also use the `grpc.CallOption`
52[grpc.PerRPCCredentials](https://godoc.org/google.golang.org/grpc#PerRPCCredentials)
53on each invocation of an RPC.
54
55To create a `credentials.PerRPCCredentials`, use
56[oauth.TokenSource](https://godoc.org/google.golang.org/grpc/credentials/oauth#TokenSource).
57Note, the OAuth2 implementation of `grpc.PerRPCCredentials` requires a client to use
58[grpc.WithTransportCredentials](https://godoc.org/google.golang.org/grpc#WithTransportCredentials)
59to prevent any insecure transmission of tokens.
60
61# Authenticating with Google
62
63## Google Compute Engine (GCE)
64
65```Go
66conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(oauth.NewComputeEngine()))
67```
68
69## JWT
70
71```Go
72jwtCreds, err := oauth.NewServiceAccountFromFile(*serviceAccountKeyFile, *oauthScope)
73if err != nil {
74 log.Fatalf("Failed to create JWT credentials: %v", err)
75}
76conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(jwtCreds))
77```
78
View as plain text