diff --git a/RELEASING.md b/RELEASING.md
index 1d6ee0e0c41..b3d262a119b 100644
--- a/RELEASING.md
+++ b/RELEASING.md
@@ -45,6 +45,8 @@ $ VERSION_FILES=(
examples/example-alts/build.gradle
examples/example-gauth/build.gradle
examples/example-gauth/pom.xml
+ examples/example-jwt-auth/build.gradle
+ examples/example-jwt-auth/pom.xml
examples/example-hostname/build.gradle
examples/example-hostname/pom.xml
examples/example-kotlin/build.gradle
diff --git a/examples/README.md b/examples/README.md
index 878da521ac1..fdcec2d636b 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -156,6 +156,8 @@ $ bazel-bin/hello-world-client
- [Google Authentication](example-gauth)
+- [JWT-based Authentication](example-jwt-auth)
+
- [Kotlin examples](example-kotlin)
- [Kotlin Android examples](example-kotlin/android)
diff --git a/examples/example-jwt-auth/README.md b/examples/example-jwt-auth/README.md
new file mode 100644
index 00000000000..ba497139983
--- /dev/null
+++ b/examples/example-jwt-auth/README.md
@@ -0,0 +1,70 @@
+Authentication Example
+==============================================
+
+This example illustrates a simple JWT-based authentication implementation in gRPC using
+ server interceptor. It uses the JJWT library to create and verify JSON Web Tokens (JWTs).
+
+The example requires grpc-java to be pre-built. Using a release tag will download the relevant binaries
+from a maven repository. But if you need the latest SNAPSHOT binaries you will need to follow
+[COMPILING](../../COMPILING.md) to build these.
+
+The source code is [here](src/main/java/io/grpc/examples/jwtauth).
+To build the example, run in this directory:
+```
+$ ../gradlew installDist
+```
+The build creates scripts `auth-server` and `auth-client` in the `build/install/example-jwt-auth/bin/` directory
+which can be used to run this example. The example requires the server to be running before starting the
+client.
+
+Running auth-server is similar to the normal hello world example and there are no arguments to supply:
+
+**auth-server**:
+
+The auth-server accepts optional argument for port on which the server should run:
+
+```text
+USAGE: auth-server [port]
+```
+
+The auth-client accepts optional arguments for server-host, server-port, user-name and client-id:
+
+**auth-client**:
+
+```text
+USAGE: auth-client [server-host [server-port [user-name [client-id]]]]
+```
+
+The `user-name` value is simply passed in the `HelloRequest` message as payload and the value of
+`client-id` is included in the JWT claims passed in the metadata header.
+
+
+#### How to run the example:
+
+```bash
+# Run the server:
+./build/install/example-jwt-auth/bin/auth-server 50051
+# In another terminal run the client
+./build/install/example-jwt-auth/bin/auth-client localhost 50051 userA clientB
+```
+
+That's it! The client will show the user-name reflected back in the message from the server as follows:
+```
+INFO: Greeting: Hello, userA
+```
+
+And on the server side you will see the message with the client's identifier:
+```
+Processing request from clientB
+```
+
+## Maven
+
+If you prefer to use Maven follow these [steps](../README.md#maven). You can run the example as follows:
+
+```
+$ # Run the server
+$ mvn exec:java -Dexec.mainClass=io.grpc.examples.authentication.AuthServer -Dexec.args="50051"
+$ # In another terminal run the client
+$ mvn exec:java -Dexec.mainClass=io.grpc.examples.authentication.AuthClient -Dexec.args="localhost 50051 userA clientB"
+```
diff --git a/examples/example-jwt-auth/build.gradle b/examples/example-jwt-auth/build.gradle
new file mode 100644
index 00000000000..8b2b5760e86
--- /dev/null
+++ b/examples/example-jwt-auth/build.gradle
@@ -0,0 +1,84 @@
+plugins {
+ // Provide convenience executables for trying out the examples.
+ id 'application'
+ // ASSUMES GRADLE 2.12 OR HIGHER. Use plugin version 0.7.5 with earlier gradle versions
+ id 'com.google.protobuf' version '0.8.8'
+ // Generate IntelliJ IDEA's .idea & .iml project files
+ id 'idea'
+}
+
+repositories {
+ maven { // The google mirror is less flaky than mavenCentral()
+ url "https://maven-central.storage-download.googleapis.com/repos/central/data/"
+ }
+ mavenLocal()
+}
+
+sourceCompatibility = 1.7
+targetCompatibility = 1.7
+
+// IMPORTANT: You probably want the non-SNAPSHOT version of gRPC. Make sure you
+// are looking at a tagged version of the example and not "master"!
+
+// Feel free to delete the comment at the next line. It is just for safely
+// updating the version in our release process.
+def grpcVersion = '1.29.0-SNAPSHOT' // CURRENT_GRPC_VERSION
+def protobufVersion = '3.11.0'
+def protocVersion = protobufVersion
+
+dependencies {
+ implementation "io.grpc:grpc-protobuf:${grpcVersion}"
+ implementation "io.grpc:grpc-stub:${grpcVersion}"
+ implementation "io.jsonwebtoken:jjwt:0.9.1"
+ implementation "javax.xml.bind:jaxb-api:2.3.1"
+
+ compileOnly "javax.annotation:javax.annotation-api:1.2"
+
+ runtimeOnly "io.grpc:grpc-netty-shaded:${grpcVersion}"
+
+ testImplementation "io.grpc:grpc-testing:${grpcVersion}"
+ testImplementation "junit:junit:4.12"
+ testImplementation "org.mockito:mockito-core:2.28.2"
+}
+
+protobuf {
+ protoc { artifact = "com.google.protobuf:protoc:${protocVersion}" }
+ plugins {
+ grpc { artifact = "io.grpc:protoc-gen-grpc-java:${grpcVersion}" }
+ }
+ generateProtoTasks {
+ all()*.plugins { grpc {} }
+ }
+}
+
+// Inform IDEs like IntelliJ IDEA, Eclipse or NetBeans about the generated code.
+sourceSets {
+ main {
+ java {
+ srcDirs 'build/generated/source/proto/main/grpc'
+ srcDirs 'build/generated/source/proto/main/java'
+ }
+ }
+}
+
+startScripts.enabled = false
+
+task hellowWorldJwtAuthServer(type: CreateStartScripts) {
+ mainClassName = 'io.grpc.examples.jwtauth.AuthServer'
+ applicationName = 'auth-server'
+ outputDir = new File(project.buildDir, 'tmp')
+ classpath = startScripts.classpath
+}
+
+task hellowWorldJwtAuthClient(type: CreateStartScripts) {
+ mainClassName = 'io.grpc.examples.jwtauth.AuthClient'
+ applicationName = 'auth-client'
+ outputDir = new File(project.buildDir, 'tmp')
+ classpath = startScripts.classpath
+}
+
+applicationDistribution.into('bin') {
+ from(hellowWorldJwtAuthServer)
+ from(hellowWorldJwtAuthClient)
+ fileMode = 0755
+}
diff --git a/examples/example-jwt-auth/pom.xml b/examples/example-jwt-auth/pom.xml
new file mode 100644
index 00000000000..a40481b5087
--- /dev/null
+++ b/examples/example-jwt-auth/pom.xml
@@ -0,0 +1,136 @@
+
+ 4.0.0
+ io.grpc
+ example-jwt-auth
+ jar
+
+ 1.29.0-SNAPSHOT
+ example-jwt-auth
+ https://github.com/grpc/grpc-java
+
+
+ UTF-8
+ 1.29.0-SNAPSHOT
+ 3.11.0
+ 3.11.0
+
+ 1.7
+ 1.7
+
+
+
+
+
+ io.grpc
+ grpc-bom
+ ${grpc.version}
+ pom
+ import
+
+
+
+
+
+
+ io.grpc
+ grpc-netty-shaded
+ runtime
+
+
+ io.grpc
+ grpc-protobuf
+
+
+ io.grpc
+ grpc-stub
+
+
+ io.jsonwebtoken
+ jjwt
+ 0.9.1
+
+
+ javax.xml.bind
+ jaxb-api
+ 2.3.1
+
+
+ javax.annotation
+ javax.annotation-api
+ 1.2
+ provided
+
+
+ io.grpc
+ grpc-testing
+ test
+
+
+ junit
+ junit
+ 4.12
+ test
+
+
+ org.mockito
+ mockito-core
+ 2.28.2
+ test
+
+
+
+
+
+
+ kr.motd.maven
+ os-maven-plugin
+ 1.5.0.Final
+
+
+
+
+ org.xolstice.maven.plugins
+ protobuf-maven-plugin
+ 0.5.1
+
+
+ com.google.protobuf:protoc:${protoc.version}:exe:${os.detected.classifier}
+
+ grpc-java
+
+ io.grpc:protoc-gen-grpc-java:${grpc.version}:exe:${os.detected.classifier}
+
+
+
+
+
+ compile
+ compile-custom
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-enforcer-plugin
+ 1.4.1
+
+
+ enforce
+
+ enforce
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/examples/example-jwt-auth/settings.gradle b/examples/example-jwt-auth/settings.gradle
new file mode 100644
index 00000000000..59ef05d47dd
--- /dev/null
+++ b/examples/example-jwt-auth/settings.gradle
@@ -0,0 +1,8 @@
+pluginManagement {
+ repositories {
+ maven { // The google mirror is less flaky than mavenCentral()
+ url "https://maven-central.storage-download.googleapis.com/repos/central/data/"
+ }
+ gradlePluginPortal()
+ }
+}
diff --git a/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/AuthClient.java b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/AuthClient.java
new file mode 100644
index 00000000000..f6ea4c57e45
--- /dev/null
+++ b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/AuthClient.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2019 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.examples.jwtauth;
+
+import io.grpc.CallCredentials;
+import io.grpc.ManagedChannel;
+import io.grpc.ManagedChannelBuilder;
+import io.grpc.examples.helloworld.GreeterGrpc;
+import io.grpc.examples.helloworld.HelloReply;
+import io.grpc.examples.helloworld.HelloRequest;
+import java.util.concurrent.TimeUnit;
+import java.util.logging.Logger;
+
+/**
+ * An authenticating client that requests a greeting from the {@link AuthServer}.
+ */
+public class AuthClient {
+
+ private static final Logger logger = Logger.getLogger(AuthClient.class.getName());
+
+ private final ManagedChannel channel;
+ private final GreeterGrpc.GreeterBlockingStub blockingStub;
+ private final CallCredentials callCredentials;
+
+ /**
+ * Construct client for accessing GreeterGrpc server.
+ */
+ AuthClient(CallCredentials callCredentials, String host, int port) {
+ this(
+ callCredentials,
+ ManagedChannelBuilder
+ .forAddress(host, port)
+ // Channels are secure by default (via SSL/TLS). For this example we disable TLS
+ // to avoid needing certificates, but it is recommended to use a secure channel
+ // while passing credentials.
+ .usePlaintext()
+ .build());
+ }
+
+ /**
+ * Construct client for accessing GreeterGrpc server using the existing channel.
+ */
+ AuthClient(CallCredentials callCredentials, ManagedChannel channel) {
+ this.callCredentials = callCredentials;
+ this.channel = channel;
+ this.blockingStub = GreeterGrpc.newBlockingStub(channel);
+ }
+
+ public void shutdown() throws InterruptedException {
+ channel.shutdown().awaitTermination(5, TimeUnit.SECONDS);
+ }
+
+ /**
+ * Say hello to server.
+ *
+ * @param name name to set in HelloRequest
+ * @return the message in the HelloReply from the server
+ */
+ public String greet(String name) {
+ logger.info("Will try to greet " + name + " ...");
+ HelloRequest request = HelloRequest.newBuilder().setName(name).build();
+
+ // Use a stub with the given call credentials applied to invoke the RPC.
+ HelloReply response =
+ blockingStub
+ .withCallCredentials(callCredentials)
+ .sayHello(request);
+
+ logger.info("Greeting: " + response.getMessage());
+ return response.getMessage();
+ }
+
+ /**
+ * Greet server. If provided, the first element of {@code args} is the name to use in the greeting
+ * and the second is the client identifier to set in JWT
+ */
+ public static void main(String[] args) throws Exception {
+
+ String host = "localhost";
+ int port = 50051;
+ String user = "world";
+ String clientId = "default-client";
+
+ if (args.length > 0) {
+ host = args[0]; // Use the arg as the server host if provided
+ }
+ if (args.length > 1) {
+ port = Integer.parseInt(args[1]); // Use the second argument as the server port if provided
+ }
+ if (args.length > 2) {
+ user = args[2]; // Use the the third argument as the name to greet if provided
+ }
+ if (args.length > 3) {
+ clientId = args[3]; // Use the fourth argument as the client identifier if provided
+ }
+
+ CallCredentials credentials = new JwtCredential(clientId);
+ AuthClient client = new AuthClient(credentials, host, port);
+
+ try {
+ client.greet(user);
+ } finally {
+ client.shutdown();
+ }
+ }
+}
diff --git a/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/AuthServer.java b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/AuthServer.java
new file mode 100644
index 00000000000..90e7dff1458
--- /dev/null
+++ b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/AuthServer.java
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2019 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.examples.jwtauth;
+
+import io.grpc.Server;
+import io.grpc.ServerBuilder;
+import io.grpc.examples.helloworld.GreeterGrpc;
+import io.grpc.examples.helloworld.HelloReply;
+import io.grpc.examples.helloworld.HelloRequest;
+import io.grpc.stub.StreamObserver;
+import java.io.IOException;
+import java.util.logging.Logger;
+
+/**
+ * Server that manages startup/shutdown of a {@code Greeter} server. This also uses a {@link
+ * JwtServerInterceptor} to intercept the JWT token passed
+ */
+public class AuthServer {
+
+ private static final Logger logger = Logger.getLogger(AuthServer.class.getName());
+
+ private Server server;
+ private int port;
+
+ public AuthServer(int port) {
+ this.port = port;
+ }
+
+ private void start() throws IOException {
+ server = ServerBuilder.forPort(port)
+ .addService(new GreeterImpl())
+ .intercept(new JwtServerInterceptor()) // add the JwtServerInterceptor
+ .build()
+ .start();
+ logger.info("Server started, listening on " + port);
+ Runtime.getRuntime().addShutdownHook(new Thread() {
+ @Override
+ public void run() {
+ // Use stderr here since the logger may have been reset by its JVM shutdown hook.
+ System.err.println("*** shutting down gRPC server since JVM is shutting down");
+ AuthServer.this.stop();
+ System.err.println("*** server shut down");
+ }
+ });
+ }
+
+ private void stop() {
+ if (server != null) {
+ server.shutdown();
+ }
+ }
+
+ /**
+ * Await termination on the main thread since the grpc library uses daemon threads.
+ */
+ private void blockUntilShutdown() throws InterruptedException {
+ if (server != null) {
+ server.awaitTermination();
+ }
+ }
+
+ /**
+ * Main launches the server from the command line.
+ */
+ public static void main(String[] args) throws IOException, InterruptedException {
+
+ // The port on which the server should run
+ int port = 50051; // default
+ if (args.length > 0) {
+ port = Integer.parseInt(args[0]);
+ }
+
+ final AuthServer server = new AuthServer(port);
+ server.start();
+ server.blockUntilShutdown();
+ }
+
+ static class GreeterImpl extends GreeterGrpc.GreeterImplBase {
+ @Override
+ public void sayHello(HelloRequest req, StreamObserver responseObserver) {
+ // get client id added to context by interceptor
+ String clientId = Constant.CLIENT_ID_CONTEXT_KEY.get();
+ logger.info("Processing request from " + clientId);
+ HelloReply reply = HelloReply.newBuilder().setMessage("Hello, " + req.getName()).build();
+ responseObserver.onNext(reply);
+ responseObserver.onCompleted();
+ }
+ }
+}
diff --git a/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/Constant.java b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/Constant.java
new file mode 100644
index 00000000000..434422f069d
--- /dev/null
+++ b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/Constant.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2019 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.examples.jwtauth;
+
+import io.grpc.Context;
+import io.grpc.Metadata;
+
+import static io.grpc.Metadata.ASCII_STRING_MARSHALLER;
+
+/**
+ * Constants definition
+ */
+final class Constant {
+ static final String JWT_SIGNING_KEY = "L8hHXsaQOUjk5rg7XPGv4eL36anlCrkMz8CJ0i/8E/0=";
+ static final String BEARER_TYPE = "Bearer";
+
+ static final Metadata.Key AUTHORIZATION_METADATA_KEY = Metadata.Key.of("Authorization", ASCII_STRING_MARSHALLER);
+ static final Context.Key CLIENT_ID_CONTEXT_KEY = Context.key("clientId");
+
+ private Constant() {
+ throw new AssertionError();
+ }
+}
diff --git a/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/JwtCredential.java b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/JwtCredential.java
new file mode 100644
index 00000000000..4975b4a0ab3
--- /dev/null
+++ b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/JwtCredential.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2019 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.examples.jwtauth;
+
+import io.grpc.CallCredentials;
+import io.grpc.Metadata;
+import io.grpc.Status;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import java.util.concurrent.Executor;
+
+/**
+ * CallCredentials implementation, which carries the JWT value that will be propagated to the
+ * server in the request metadata with the "Authorization" key and the "Bearer" prefix.
+ */
+public class JwtCredential extends CallCredentials {
+
+ private final String subject;
+
+ JwtCredential(String subject) {
+ this.subject = subject;
+ }
+
+ @Override
+ public void applyRequestMetadata(final RequestInfo requestInfo, final Executor executor,
+ final MetadataApplier metadataApplier) {
+ // Make a JWT compact serialized string.
+ // This example omits setting the expiration, but a real application should do it.
+ final String jwt =
+ Jwts.builder()
+ .setSubject(subject)
+ .signWith(SignatureAlgorithm.HS256, Constant.JWT_SIGNING_KEY)
+ .compact();
+
+ executor.execute(new Runnable() {
+ @Override
+ public void run() {
+ try {
+ Metadata headers = new Metadata();
+ headers.put(Constant.AUTHORIZATION_METADATA_KEY,
+ String.format("%s %s", Constant.BEARER_TYPE, jwt));
+ metadataApplier.apply(headers);
+ } catch (Throwable e) {
+ metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e));
+ }
+ }
+ });
+ }
+
+ @Override
+ public void thisUsesUnstableApi() {
+ // noop
+ }
+}
diff --git a/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/JwtServerInterceptor.java b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/JwtServerInterceptor.java
new file mode 100644
index 00000000000..d24e814e3c0
--- /dev/null
+++ b/examples/example-jwt-auth/src/main/java/io/grpc/examples/jwtauth/JwtServerInterceptor.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2019 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.examples.jwtauth;
+
+import io.grpc.Context;
+import io.grpc.Contexts;
+import io.grpc.Metadata;
+import io.grpc.ServerCall;
+import io.grpc.ServerCallHandler;
+import io.grpc.ServerInterceptor;
+import io.grpc.Status;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.Jwts;
+
+/**
+ * This interceptor gets the JWT from the metadata, verifies it and sets the client identifier
+ * obtained from the token into the context. In order not to complicate the example with additional
+ * checks (expiration date, issuer and etc.), it relies only on the signature of the token for
+ * verification.
+ */
+public class JwtServerInterceptor implements ServerInterceptor {
+
+ private JwtParser parser = Jwts.parser().setSigningKey(Constant.JWT_SIGNING_KEY);
+
+ @Override
+ public ServerCall.Listener interceptCall(ServerCall serverCall,
+ Metadata metadata, ServerCallHandler serverCallHandler) {
+ String value = metadata.get(Constant.AUTHORIZATION_METADATA_KEY);
+
+ Status status = Status.OK;
+ if (value == null) {
+ status = Status.UNAUTHENTICATED.withDescription("Authorization token is missing");
+ } else if (!value.startsWith(Constant.BEARER_TYPE)) {
+ status = Status.UNAUTHENTICATED.withDescription("Unknown authorization type");
+ } else {
+ Jws claims = null;
+ // remove authorization type prefix
+ String token = value.substring(Constant.BEARER_TYPE.length()).trim();
+ try {
+ // verify token signature and parse claims
+ claims = parser.parseClaimsJws(token);
+ } catch (JwtException e) {
+ status = Status.UNAUTHENTICATED.withDescription(e.getMessage()).withCause(e);
+ }
+ if (claims != null) {
+ // set client id into current context
+ Context ctx = Context.current()
+ .withValue(Constant.CLIENT_ID_CONTEXT_KEY, claims.getBody().getSubject());
+ return Contexts.interceptCall(ctx, serverCall, metadata, serverCallHandler);
+ }
+ }
+
+ serverCall.close(status, new Metadata());
+ return new ServerCall.Listener() {
+ // noop
+ };
+ }
+
+}
diff --git a/examples/example-jwt-auth/src/main/proto/helloworld.proto b/examples/example-jwt-auth/src/main/proto/helloworld.proto
new file mode 100644
index 00000000000..6340c54f7bb
--- /dev/null
+++ b/examples/example-jwt-auth/src/main/proto/helloworld.proto
@@ -0,0 +1,37 @@
+// Copyright 2019 The gRPC Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+syntax = "proto3";
+
+option java_multiple_files = true;
+option java_package = "io.grpc.examples.helloworld";
+option java_outer_classname = "HelloWorldProto";
+option objc_class_prefix = "HLW";
+
+package helloworld;
+
+// The greeting service definition.
+service Greeter {
+ // Sends a greeting
+ rpc SayHello (HelloRequest) returns (HelloReply) {}
+}
+
+// The request message containing the user's name.
+message HelloRequest {
+ string name = 1;
+}
+
+// The response message containing the greetings
+message HelloReply {
+ string message = 1;
+}
diff --git a/examples/example-jwt-auth/src/test/java/io/grpc/examples/jwtauth/AuthClientTest.java b/examples/example-jwt-auth/src/test/java/io/grpc/examples/jwtauth/AuthClientTest.java
new file mode 100644
index 00000000000..8428009175d
--- /dev/null
+++ b/examples/example-jwt-auth/src/test/java/io/grpc/examples/jwtauth/AuthClientTest.java
@@ -0,0 +1,118 @@
+/*
+ * Copyright 2019 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.examples.jwtauth;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.AdditionalAnswers.delegatesTo;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+
+import io.grpc.CallCredentials;
+import io.grpc.ManagedChannel;
+import io.grpc.Metadata;
+import io.grpc.ServerCall;
+import io.grpc.ServerCallHandler;
+import io.grpc.ServerInterceptors;
+import io.grpc.examples.helloworld.GreeterGrpc;
+import io.grpc.examples.helloworld.HelloReply;
+import io.grpc.examples.helloworld.HelloRequest;
+import io.grpc.inprocess.InProcessChannelBuilder;
+import io.grpc.inprocess.InProcessServerBuilder;
+import io.grpc.ServerCall.Listener;
+import io.grpc.ServerInterceptor;
+import io.grpc.stub.StreamObserver;
+import io.grpc.testing.GrpcCleanupRule;
+import java.io.IOException;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+import org.mockito.ArgumentCaptor;
+import org.mockito.ArgumentMatchers;
+
+/**
+ * Unit tests for {@link AuthClient} testing the default and non-default tokens
+ *
+ *
+ */
+@RunWith(JUnit4.class)
+public class AuthClientTest {
+ /**
+ * This rule manages automatic graceful shutdown for the registered servers and channels at the
+ * end of test.
+ */
+ @Rule
+ public final GrpcCleanupRule grpcCleanup = new GrpcCleanupRule();
+
+ private final ServerInterceptor mockServerInterceptor = mock(ServerInterceptor.class, delegatesTo(
+ new ServerInterceptor() {
+ @Override
+ public Listener interceptCall(
+ ServerCall call, Metadata headers, ServerCallHandler next) {
+ return next.startCall(call, headers);
+ }
+ }));
+
+ private AuthClient client;
+
+
+ @Before
+ public void setUp() throws IOException {
+ // Generate a unique in-process server name.
+ String serverName = InProcessServerBuilder.generateName();
+
+ // Create a server, add service, start, and register for automatic graceful shutdown.
+ grpcCleanup.register(InProcessServerBuilder.forName(serverName).directExecutor()
+ .addService(ServerInterceptors.intercept(
+ new GreeterGrpc.GreeterImplBase() {
+
+ @Override
+ public void sayHello(
+ HelloRequest request, StreamObserver responseObserver) {
+ HelloReply reply = HelloReply.newBuilder()
+ .setMessage("AuthClientTest user=" + request.getName()).build();
+ responseObserver.onNext(reply);
+ responseObserver.onCompleted();
+ }
+ },
+ mockServerInterceptor))
+ .build().start());
+
+ CallCredentials credentials = new JwtCredential("test-client");
+ ManagedChannel channel = InProcessChannelBuilder.forName(serverName).directExecutor().build();
+ client = new AuthClient(credentials, channel);
+ }
+
+ @Test
+ public void greet() {
+ ArgumentCaptor metadataCaptor = ArgumentCaptor.forClass(Metadata.class);
+ String retVal = client.greet("John");
+
+ verify(mockServerInterceptor).interceptCall(
+ ArgumentMatchers.>any(),
+ metadataCaptor.capture(),
+ ArgumentMatchers.>any());
+
+ String token = metadataCaptor.getValue().get(Constant.AUTHORIZATION_METADATA_KEY);
+ assertNotNull(token);
+ assertTrue(token.startsWith("Bearer"));
+ assertEquals("AuthClientTest user=John", retVal);
+ }
+}