grpc-dotnet
grpc-dotnet copied to clipboard
grpc
Include full authentication sample
The current sample (Ticketer) generates a jwt token only by username. It would be nice to have a full username/password sample. It would be even better to have a full oauth2 access- refresh token sample.
@nphmuller @JamesNK
I could add an example for this if you want. I have an example here:
https://damienbod.com/2019/03/06/security-experiments-with-grpc-and-asp-net-core-3-0/
Question is, why username/password? This has nothing to do with the API client-service call. How you get the access token, depends on the calling application and the security arch.
Greetings Damien
Showing how to send a username/password isn't that valuable. I agree that it is up to the app to decide how to authenticate getting the token. I think it would be interesting to show how to refresh the token.
Now that I think about it, this tends to be handled on a channel level in Grpc.Core. Need to investigate how Grpc.Core does it. We don't have channel yet, so I think the example shouldn't be updated until we get it.
Question is, why username/password? This has nothing to do with the API client-service call. How you get the access token, depends on the calling application and the security arch.
Reason I asked for this, is because I think it would be nice to have a full example that demonstrates how a real app would work. If you only show authn/authz for the API call the user would still have to figure out how to actually obtain a token, for which he'd have to find another example in another project/repo.
I get however that obtaining the token is not really the responsibility of this project, so it might not be the best place to describe it.
On the other hand, an OAuth2/OpenID server via gRPC would be a cool example.
Now that I think about it, this tends to be handled on a channel level in Grpc.Core. Need to investigate how Grpc.Core does it. We don't have channel yet, so I think the example shouldn't be updated until we get it.
Yeah, that initially was a confusing part to me of the current examples. I thought we would have to attach the tokens some way to the CallContext, but the HTTP headers of the request where used instead. It works nicely, but isn't really the gRPC-way of passing credentials if I understand the docs correctly.
I'm sure you already have this, but it's described nicely here: https://grpc.io/docs/guides/auth/
Keep in mind that these aren't intended to be full apps. Someone else could make a full app that uses gRPC and open source it, but it wouldn't go here. These examples shouldn't have any dependencies (database, cloud services) and show one or two things.
A complete example with getting a pair of tokens, intercepting a 401 response code, and getting a new pair would be very helpful. It would also be interesting to know how to properly re-receive the token when a bidirectional data stream is open.
At the moment, all I have been able to find is how to put the Bearer header in the interceptor.
