Closed serprex closed 3 weeks ago
@serprex we need to exclude the health route from auth
@serprex we need to exclude the health route from auth
https://pkg.go.dev/google.golang.org/grpc#UnaryClientInterceptor
method is the RPC name
can check that for skips
@serprex we need to exclude the health route from auth
https://pkg.go.dev/google.golang.org/grpc#UnaryClientInterceptor
method is the RPC name
can check that for skips
Something I have done in the past:
func CreateAuthServerInterceptor(authConfig *AuthConfig, unauthenticatedMethods []string) grpc.UnaryServerInterceptor {
unauthenticatedMethodsMap := make(map[string]struct{}, len(unauthenticatedMethods))
for _, method := range unauthenticatedMethods {
unauthenticatedMethodsMap[method] = struct{}{}
}
if authConfig.Disabled {
logging.Log().Warn("Authentication is disabled for the current server")
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
return handler(ctx, req)
}
}
// Can add configuration and use auth accordingly
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
if _, unauthorized := unauthenticatedMethodsMap[info.FullMethod]; !unauthorized {
// TODO add recover in case of panics here
var err error
ctx, err = Authorize(ctx, authConfig)
if err != nil {
return nil, err
}
}
resp, err = handler(ctx, req)
return resp, err
}
}
LGTM with some additional testing
Enables using OAuth2 for calls to the Flow API
Requires the following env vars:
PEERDB_OAUTH_ISSUER_URL
- This is the OAuth Issuer URL of the JWT (Likehttps://{AUTH0_DOMAIN}/
)PEERDB_OAUTH_DISCOVERY_ENABLED
- Set this totrue
to enable discovery via/.well-known/jwks.json
endpoint defined in openID specPEERDB_OAUTH_KEYSET_JSON
- If custom json keyset is to be provided.PEERDB_OAUTH_JWT_CLAIM_KEY
,PEERDB_OAUTH_JWT_CLAIM_VALUE
- any custom key-value to be additionally checked while validating the incoming jwtHealth Endpoints are explicitly excluded from auth.