Authentication

[shinebayar-g]

Hi folks, thanks for the great work. Is there any documentation, guide for getting started with how to implement auth? I'm new to grpc ecosystem, thanks.

[mattrobenolt]

Hey there, I'm not sure any official patterns have been adopted or promoted, but I'd strongly recommend adopting patterns that work/worked with a normal REST API or something of that sort. In my case, I've used this with both HTTP basic auth and some other derivatives like JWT-ish. Cookies with sessions would also be trivial.

I'd recommend implementing this as an HTTP middleware. If it's something a bit more complex, maybe as an actual interceptor. In my case, everything as an HTTP middleware has been plenty sufficient and the same middleware is shared and used with Connect endpoints and non Connect endpoints.

I'm happy to share some pseudocode if you want some direction.

[shinebayar-g]

Ah that makes sense. Fact that regular net/http things are compatible with connect-go is making the use of HTTP middlewares possible? Yeah pls share some code if possible. It'd be useful for future references.

[akshayjshah]

Matt's spot-on - unless you're doing something particularly complex, use normal net/http middleware. For example, Auth0 maintains a fairly popular JWT middleware package. Amending their example a bit, here's how you'd use it with Connect RPC handlers:

package main

import (
  "context"
  "encoding/json"
  "log"
  "net/http"

  "github.com/auth0/go-jwt-middleware/v2"
  "github.com/auth0/go-jwt-middleware/v2/validator"
  "github.com/bufbuild/connect-go"

  // Replace these imports with your generated code.
  pingv1 "github.com/bufbuild/connect-go/internal/gen/connect/ping/v1"
  "github.com/bufbuild/connect-go/internal/gen/connect/ping/v1/pingv1connect"
)

func main() {
  keyFunc := func(ctx context.Context) (interface{}, error) {
    // Our token must be signed using this data.
    return []byte("secret"), nil
  }

  // Set up the validator.
  jwtValidator, err := validator.New(
    keyFunc,
    validator.HS256,
    "https://<issuer-url>/",
    []string{"<audience>"},
  )
  if err != nil {
    log.Fatalf("failed to set up the validator: %v", err)
  }

  // Set up the middleware.
  middleware := jwtmiddleware.New(jwtValidator.ValidateToken)
  
  // Create a mux that serves our RPC handlers.
  mux := http.NewServeMux()
  mux.Handle(pingv1connect.NewPingServiceHandler(&PingServer{}))
  // Add any other Connect handlers here.

  http.ListenAndServeTLS("0.0.0.0:3000", "cert.pem", "key.pem", middleware.CheckJWT(mux))
}

If you're doing something especially complex, this may not be flexible enough - perhaps you need access to the protobuf messages, some of connect.Spec, or other RPC-specific data. (Try to avoid this, though!) In those cases, you'll want to write a Connect interceptor. It could look like https://github.com/akshayjshah/connectauth, but you'll have to tailor it the implementation to your needs.