Understanding gRPC Authentication Methods
Download as PPTX, PDF7 likes9,171 views
The document discusses gRPC and its authentication methods, explaining that gRPC is a protocol using protocol buffers over HTTP/2 with multi-language support. It covers various authentication techniques including SSL/TLS, token-based methods, and integration with Google services like JWT and OAuth. Additionally, it addresses the differences between authentication and authorization, along with examples of how to implement these security measures in gRPC applications.
![Calling an authenticated
method from gRPC
def run(host, port, api_key, auth_token, timeout):
"""Makes a basic ListShelves call against a gRPC Bookstore server."""
channel = grpc.insecure_channel('{}:{}'.format(host, port))
stub = bookstore_pb2.BookstoreStub(channel)
metadata = []
if api_key:
metadata.append(('x-api-key', api_key))
if auth_token:
metadata.append(('authorization', 'Bearer ' + auth_token))
shelves = stub.ListShelves(empty_pb2.Empty(), timeout, metadata=metadata)
print('ListShelves: {}'.format(shelves))](https://image.slidesharecdn.com/chow-anthonywed-180208153229/85/Understanding-gRPC-Authentication-Methods-42-320.jpg)
Understanding gRPC Authentication Methods
- 1. Understanding gRPC Authentication Methods Developer Week SF 2018 Anthony Chow Cephas Security Solutions Auth0 Ambassador | VMware vExpert Feb 7, 2018 Twitter: @vCloudernBeer
- 5. What is gRPC? gRPC can be summarized as protocol buffers running over HTTP/2 with multiple programming language support. Image source: grpc.io
- 6. Protocol Buffer Protocol buffer is one form of Interface Definition Language for structured data serialization and de- serialization between two parties and are transmitted over a network in binary forms. Image source: Google gRPC meetup kit
- 7. Install Protobuf 3 on Ubuntu 16.04 • curl -OL https://github.com/google/protobuf/releases/download/v3 .5.0/protoc-3.5.0-linux-x86_64.zip • unzip protoc-3.5.0-linux-x86_64.zip -d protoc3 • sudo mv protoc3/bin/* /usr/local/bin/ • sudo mv protoc3/include/* /usr/local/include/
- 8. Service Definition source: Google gRPC meetup kit
- 9. HTTP/2 Hypertext Transfer Protocol Version 2 (HTTP/2) is defined by RFC 7540 aimed at providing better performance for HTTP traffics with bi-directional streaming and flow control on a single TCP connection. Source: Google gRPC meetup kit
- 10. Multi-language Support Image source: Google gRPC meetup kit
- 11. gRPC Conceptssource: https://grpc.io/docs/guides/concepts.html Service Definition Using the API surface Synchronous vs asynchronous RPC life cycle o Unary o Client Streaming o Server Streaming o Bi-directional Streaming Deadlines/Timeouts RPC termination Cancelling RPCs Metadata Channels
- 12. Ruby Service gRPC server Go Service gRPC server gRPC Stub Java Service gRPC Stub Python Service gRPC server gRPC Stub Multi-language supportsource: Google gRPC meetup kit
- 13. gRPC Request and Response source: grpc.io
- 14. Who uses gRPCsource: Google gRPC meetup kit
- 15. Resource for gRPCsource: Google gRPC meetup kit Documentation and Code ● http://www.grpc.io/ ● https://github.com/grpc ● https://github.com/grpc-ecosystem Help and Support ● https://gitter.im/grpc/grpc ● https://groups.google.com/forum/#!forum/grpc-io
- 16. Getting started with gRPC https://grpc.io/docs/quickstart/ https://grpc.io/docs/tutorials/basic/python.html 1. Define the gRPC service and the method request and response types using protocol buffers 2. Generate the gRPC client and server interfaces from your .proto service definition. 3. Create the server 4. Create the client
- 17. gRPC frame format • Wireshark demo
- 18. Authentication vs Authorization Authentication – determine who you claim to be by the credential you provide. o Something you have – smart token device o Something you know - password o Something you are – fingerprint Authorization – based on user credential grant access to resource o Read-Write o Read only o Delete
- 19. gRPC built-in Authentication Methods SSL/TLS Token-based authentication with Google o JWT o OAuth Access Token Credentials plugin API - allows developers to plug in their own type of credentials
- 20. Credential Types Channel credential Call credential
- 21. Base case - No encryption or authentication import grpc import helloworld_pb2 channel = grpc.insecure_channel('localhost:50051') stub = helloworld_pb2.GreeterStub(channel)
- 22. With server authentication SSL/TLS import grpc import helloworld_pb2 creds = grpc.ssl_channel_credentials(open('roots.pem').read()) channel = grpc.secure_channel('myservice.example.com:443', creds) stub = helloworld_pb2.GreeterStub(channel)
- 23. Authenticate with Google using a JWT import grpc import helloworld_pb2 from google import auth as google_auth from google.auth import jwt as google_auth_jwt from google.auth.transport import grpc as google_auth_transport_grpc credentials, _ = google_auth.default() jwt_creds = google_auth_jwt.OnDemandCredentials.from_signing_credentials( credentials) channel = google_auth_transport_grpc.secure_authorized_channel( jwt_creds, None, 'greeter.googleapis.com:443') stub = helloworld_pb2.GreeterStub(channel)
- 24. Authenticate with Google using an OAuth2 token import grpc import helloworld_pb2 from google import auth as google_auth from google.auth.transport import grpc as google_auth_transport_grpc from google.auth.transport import requests as google_auth_transport_requests credentials, _ = google_auth.default(scopes=(scope,)) request = google_auth_transport_requests.Request() channel = google_auth_transport_grpc.secure_authorized_channel( credentials, request, 'greeter.googleapis.com:443') stub = helloworld_pb2.GreeterStub(channel)
- 25. Authenticate with 3rd Party • AuthMetadataPlugin • …/src/python/grpcio_tests/unit/_auth_test.py
- 26. SSL/TLS SSL – Secure Socket Layer (older standard) o Version 2 and version 3 TLS – Transport Layer Security (newer standard) o Version 1.1, 1.2 and 1.3 Asymmetric encryption o Private Key and Public key Symmetric encryption o Symmetric key Hashing Digital Certificate – e.g. X.509
- 27. SSL - Handshake Image source: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660a.gif
- 28. SSL – X.509 Digital Certificate Image source: https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.14/gtps7/ssldig17.gif
- 29. gRPC with TLS • Python “helloworld” demo with TLS.
- 30. gRPC code base • https://github.com/grpc/ • https://github.com/GoogleCloudPlatform/google-auth- library-python
- 31. JWT- JSON Web Token Image source: youtube.com
- 32. Resources for JSON Web Token • https://auth0.com/learn/json-web-tokens/ • https://jwt.io/introduction/ • https://scotch.io/tutorials/the-anatomy-of-a-json- web-token • https://auth0.com/e-books/jwt-handbook
- 33. OAuth-2 “Open Authentication” (?) Authorization delegation An authorization framework Defined by RFC 6749 and 6750 OAuth 1 is defined by RFC 5849 OAuth 1 and OAuth 2 are not compatible
- 34. OAuth2 Actors Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/
- 35. OAuth2 Flows (grants) image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2
- 36. OAuth2 Authorization Grants Different ways of getting a token o Authorization code, o Implicit grant, o Resource owner password credentials and o Client credentials Which OAuth 2.0 flow should I use?
- 37. OAuth2 Tokens • Access Token • Refresh Token
- 38. OAuth2 simplified view Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png
- 39. Resource for OAuth2 • RFC 6749 - https://tools.ietf.org/html/rfc6749 • RFC 6750 - https://tools.ietf.org/html/rfc6750 • https://auth0.com/docs/protocols/oauth2 • https://developers.google.com/oauthplayground/
- 40. Google Cloud Endpoints for gRPC Choosing an Authentication Method o API Keys o Firebase authentication o Auth0 authentication o Google authentication o Google authentication and Service Account
- 41. Examples show how to set up ESP in a gRPC service authentication: providers: - id: auth0_jwk # Replace YOUR-ACCOUNT-NAME with your service account's email address. issuer: https://DevWeekSF2018.auth0.com/ jwks_uri: "https://DevWeekSF2018.auth0.com/.well-known/jwks.json" rules: - selector: "*" requirements: - provider_id: auth0_jwk
- 42. Calling an authenticated method from gRPC def run(host, port, api_key, auth_token, timeout): """Makes a basic ListShelves call against a gRPC Bookstore server.""" channel = grpc.insecure_channel('{}:{}'.format(host, port)) stub = bookstore_pb2.BookstoreStub(channel) metadata = [] if api_key: metadata.append(('x-api-key', api_key)) if auth_token: metadata.append(('authorization', 'Bearer ' + auth_token)) shelves = stub.ListShelves(empty_pb2.Empty(), timeout, metadata=metadata) print('ListShelves: {}'.format(shelves))
- 43. Setting up your Auth0