Add Authentication support

Kotlin / kotlinx-rpc

Add asynchronous RPC services to your multiplatform applications.

https://kotlin.github.io/kotlinx-rpc/

Apache License 2.0

512 stars 7 forks source link

Add Authentication support #77

Closed vdshb closed 1 week ago

vdshb commented 1 month ago

This is basically a proposal to design and add an authentication support for RPC calls.

DRSchlaubi commented 1 month ago

I actually tried using this project to replace my previous approach using Ktor resources, however, this is indeed a blocker for me, whilst it would be possible to implement basic authentication (basic authentication features, not specifically http basic auth) using Ktors interceptors (when using ktor transport) I can't get the user, which started an RPC call.

I think the biggest issue is adding some sort of context parameter to the function call, since adding an extra parameter to every function in the interface is kinda ugly, maybe we could use a CoroutineContextElement?

Mr3zee commented 1 month ago

Hi! I terms of Ktor integration (and thus kRPC protocol) - what we can do is pass WebSocketSession that created an instance of a service to that service. Another approach with Ktor would be adding protected routes, which you can do already. If you want to have authentication without binding to Ktor, I'd say kRPC protocol would not be able to do it yet. We are working on a more general approach, reviewing the questions like how to do it, or do we need it at all? Please, add more of your use-cases here, it will greatly help us with the further improvement

DRSchlaubi commented 1 month ago

I did not realize, that all requests go through the websocket in my previous reply, so I did not realize passing the session is an option. Protected routes won't work for me, since I need to know the user making the call, but I could pass some query param to the websocket session like you suggested.

A non ktor approach is not needed for me rn, but others might want to do it with gRPC

Mr3zee commented 1 month ago

Ok, we will look into providing a way to access session then, thank you for the suggestion!

Mr3zee commented 1 week ago

Hi, again! I started working on this, and realized that you already can access WebSocketSession on a server using rpc route context like this:

rpc("/my-rpc-endpoint") {
    val rpcRoute: RPCRoute = this // where RPCRoute is DefaultWebSocketServerSession
    val call: ApplicationCall = call // example accessing sessions's properties
}

This can not be done on a client however, so I would add this support