New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Examples: Add a JWT authentication example #5915
Examples: Add a JWT authentication example #5915
Conversation
Thank you for your pull request. Before we can look at your contribution, we need to ensure all contributors are covered by a Contributor License Agreement. After the following items are addressed, please respond with a new comment here, and the automated system will re-verify.
Regards, |
8f238cd
to
c8a7842
Compare
c8a7842
to
3b8516c
Compare
examples/example-jwt-auth/src/test/java/io/grpc/examples/authentication/AuthClientTest.java
Outdated
Show resolved
Hide resolved
...les/example-jwt-auth/src/main/java/io/grpc/examples/authentication/JwtServerInterceptor.java
Outdated
Show resolved
Hide resolved
examples/example-jwt-auth/src/main/java/io/grpc/examples/authentication/Constant.java
Outdated
Show resolved
Hide resolved
examples/example-jwt-auth/src/main/java/io/grpc/examples/authentication/AuthServer.java
Outdated
Show resolved
Hide resolved
examples/example-jwt-auth/src/main/java/io/grpc/examples/authentication/AuthClient.java
Outdated
Show resolved
Hide resolved
examples/example-jwt-auth/src/main/java/io/grpc/examples/authentication/BearerToken.java
Outdated
Show resolved
Hide resolved
examples/example-jwt-auth/src/main/java/io/grpc/examples/authentication/AuthServer.java
Outdated
Show resolved
Hide resolved
ping reviewers |
@sanjaypujare @ejona86 ping |
@dapengzhang0 @sanjaypujare @ejona86 all comments are resolved. Anything else? |
I haven't finished my review yet. Give me another day - sorry about the delay |
examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/AuthClient.java
Outdated
Show resolved
Hide resolved
examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/AuthServer.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM. But chatting with @ejona86 it looks like he has some comments/questions so I would wait for his comments before merging this.
@ejona86 any plans to review / merge this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some fairly easy changes, necessary, but otherwise LGTM. I'm most concerned about the BearerToken comment, since I've seen far too much code pass around plain jwt/oauth tokens without a way to refresh, and I don't want to inadvertently encourage that behavior.
HelloRequest request = HelloRequest.newBuilder().setName(name).build(); | ||
|
||
String jwt = getJwt(clientId); // build JWT | ||
CallCredentials credentials = new BearerToken(jwt); // Wrap JWT in CallCredentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The call credential should be responsible for making sure the JWT is valid, so building the JWT should really be part of the CallCredential, so that it can be re-created automatically before it expires. I see there is no expiration involved here, so maybe a comment here is enough. But given how simple getJwt() is, it seems much better to move that into the CallCredential and rename it to be JwtCredential or some such (just passing the clientId). (Feel free to create the JWT in the constructor.)
I accept that something like BearerToken is appropriate at times, but it's not something that is best copied for the majority of cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
.withValue(Constant.CLIENT_ID_CONTEXT_KEY, claims.getBody().getSubject()); | ||
return Contexts.interceptCall(ctx, serverCall, metadata, serverCallHandler); | ||
} catch (Exception e) { | ||
status = Status.UNAUTHENTICATED.withDescription(e.getMessage()).withCause(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error handling worries me. I'd feel much better if this try
did not include Contexts.interceptCall()
, since that will be arbitrary code and there is no telling if the exception message strings may leak inappropriate information.
I'd also be more comfortable if catch just caught JwtException (or MalformedJwtException+SignatureException+ExpiredJwtException).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
} | ||
} | ||
|
||
serverCall.close(status, metadata); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/metadata/new Metadata()/
Using metadata
will echo back the request metadata, which isn't appropriate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I updated this PR according to @ejona86's comment (last three commits). PTAL. |
LGTM i think it is ready to merge! |
finally it is merged, thanks @anarsultanov. This will help our users a lot! |
#5665