1# Authentication 2 3As outlined in the [gRPC authentication guide](https://grpc.io/docs/guides/auth.html) there are a number of different mechanisms for asserting identity between an client and server. We'll present some code-samples here demonstrating how to provide TLS support encryption and identity assertions as well as passing OAuth2 tokens to services that support it. 4 5# Enabling TLS on a gRPC client 6 7```Go 8conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, ""))) 9``` 10 11# Enabling TLS on a gRPC server 12 13```Go 14creds, err := credentials.NewServerTLSFromFile(certFile, keyFile) 15if err != nil { 16 log.Fatalf("Failed to generate credentials %v", err) 17} 18lis, err := net.Listen("tcp", ":0") 19server := grpc.NewServer(grpc.Creds(creds)) 20... 21server.Serve(lis) 22``` 23 24# OAuth2 25 26For an example of how to configure client and server to use OAuth2 tokens, see 27[here](https://github.com/grpc/grpc-go/tree/master/examples/features/authentication). 28 29## Validating a token on the server 30 31Clients may use 32[metadata.MD](https://godoc.org/google.golang.org/grpc/metadata#MD) 33to store tokens and other authentication-related data. To gain access to the 34`metadata.MD` object, a server may use 35[metadata.FromIncomingContext](https://godoc.org/google.golang.org/grpc/metadata#FromIncomingContext). 36With a reference to `metadata.MD` on the server, one needs to simply lookup the 37`authorization` key. Note, all keys stored within `metadata.MD` are normalized 38to lowercase. See [here](https://godoc.org/google.golang.org/grpc/metadata#New). 39 40It is possible to configure token validation for all RPCs using an interceptor. 41A server may configure either a 42[grpc.UnaryInterceptor](https://godoc.org/google.golang.org/grpc#UnaryInterceptor) 43or a 44[grpc.StreamInterceptor](https://godoc.org/google.golang.org/grpc#StreamInterceptor). 45 46## Adding a token to all outgoing client RPCs 47 48To send an OAuth2 token with each RPC, a client may configure the 49`grpc.DialOption` 50[grpc.WithPerRPCCredentials](https://godoc.org/google.golang.org/grpc#WithPerRPCCredentials). 51Alternatively, a client may also use the `grpc.CallOption` 52[grpc.PerRPCCredentials](https://godoc.org/google.golang.org/grpc#PerRPCCredentials) 53on each invocation of an RPC. 54 55To create a `credentials.PerRPCCredentials`, use 56[oauth.NewOauthAccess](https://godoc.org/google.golang.org/grpc/credentials/oauth#NewOauthAccess). 57Note, the OAuth2 implementation of `grpc.PerRPCCredentials` requires a client to use 58[grpc.WithTransportCredentials](https://godoc.org/google.golang.org/grpc#WithTransportCredentials) 59to prevent any insecure transmission of tokens. 60 61# Authenticating with Google 62 63## Google Compute Engine (GCE) 64 65```Go 66conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(oauth.NewComputeEngine())) 67``` 68 69## JWT 70 71```Go 72jwtCreds, err := oauth.NewServiceAccountFromFile(*serviceAccountKeyFile, *oauthScope) 73if err != nil { 74 log.Fatalf("Failed to create JWT credentials: %v", err) 75} 76conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(jwtCreds)) 77``` 78 79