iamKunalGupta
commented
1 month ago @serprex we need to exclude the health route from auth
Closed serprex closed 3 weeks ago
iamKunalGupta
commented
1 month ago @serprex we need to exclude the health route from auth
serprex
commented
1 month ago @serprex we need to exclude the health route from auth
https://pkg.go.dev/google.golang.org/grpc#UnaryClientInterceptor
method is the RPC name
can check that for skips
iamKunalGupta
commented
1 month ago @serprex we need to exclude the health route from auth
https://pkg.go.dev/google.golang.org/grpc#UnaryClientInterceptor
method is the RPC name
can check that for skips
Something I have done in the past:
func CreateAuthServerInterceptor(authConfig *AuthConfig, unauthenticatedMethods []string) grpc.UnaryServerInterceptor {
unauthenticatedMethodsMap := make(map[string]struct{}, len(unauthenticatedMethods))
for _, method := range unauthenticatedMethods {
unauthenticatedMethodsMap[method] = struct{}{}
}
if authConfig.Disabled {
logging.Log().Warn("Authentication is disabled for the current server")
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
return handler(ctx, req)
}
}
// Can add configuration and use auth accordingly
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
if _, unauthorized := unauthenticatedMethodsMap[info.FullMethod]; !unauthorized {
// TODO add recover in case of panics here
var err error
ctx, err = Authorize(ctx, authConfig)
if err != nil {
return nil, err
}
}
resp, err = handler(ctx, req)
return resp, err
}
}
pjhampton
commented
3 weeks ago LGTM with some additional testing
Enables using OAuth2 for calls to the Flow API
Requires the following env vars:
PEERDB_OAUTH_ISSUER_URL- This is the OAuth Issuer URL of the JWT (Likehttps://{AUTH0_DOMAIN}/)PEERDB_OAUTH_DISCOVERY_ENABLED- Set this totrueto enable discovery via/.well-known/jwks.jsonendpoint defined in openID specPEERDB_OAUTH_KEYSET_JSON- If custom json keyset is to be provided.PEERDB_OAUTH_JWT_CLAIM_KEY,PEERDB_OAUTH_JWT_CLAIM_VALUE- any custom key-value to be additionally checked while validating the incoming jwtHealth Endpoints are explicitly excluded from auth.