kotlinx-rpc icon indicating copy to clipboard operation
kotlinx-rpc copied to clipboard

Published 20 hours ago verified publisher icon Kotlin

Add Authentication support

Open vdshb opened this issue 1 year ago • 4 comments
trafficstars

This is basically a proposal to design and add an authentication support for RPC calls.

vdshb avatar May 23 '24 12:05 vdshb

I actually tried using this project to replace my previous approach using Ktor resources, however, this is indeed a blocker for me, whilst it would be possible to implement basic authentication (basic authentication features, not specifically http basic auth) using Ktors interceptors (when using ktor transport) I can't get the user, which started an RPC call.

I think the biggest issue is adding some sort of context parameter to the function call, since adding an extra parameter to every function in the interface is kinda ugly, maybe we could use a CoroutineContextElement?

DRSchlaubi avatar May 24 '24 10:05 DRSchlaubi

Hi! I terms of Ktor integration (and thus kRPC protocol) - what we can do is pass WebSocketSession that created an instance of a service to that service. Another approach with Ktor would be adding protected routes, which you can do already. If you want to have authentication without binding to Ktor, I'd say kRPC protocol would not be able to do it yet. We are working on a more general approach, reviewing the questions like how to do it, or do we need it at all? Please, add more of your use-cases here, it will greatly help us with the further improvement

Mr3zee avatar May 27 '24 15:05 Mr3zee

I did not realize, that all requests go through the websocket in my previous reply, so I did not realize passing the session is an option. Protected routes won't work for me, since I need to know the user making the call, but I could pass some query param to the websocket session like you suggested.

A non ktor approach is not needed for me rn, but others might want to do it with gRPC

DRSchlaubi avatar May 27 '24 17:05 DRSchlaubi

Ok, we will look into providing a way to access session then, thank you for the suggestion!

Mr3zee avatar May 27 '24 18:05 Mr3zee

Hi, again! I started working on this, and realized that you already can access WebSocketSession on a server using rpc route context like this:

rpc("/my-rpc-endpoint") {
    val rpcRoute: RPCRoute = this // where RPCRoute is DefaultWebSocketServerSession
    val call: ApplicationCall = call // example accessing sessions's properties
}

This can not be done on a client however, so I would add this support

Mr3zee avatar Jun 20 '24 07:06 Mr3zee