Open MalteJ opened 7 years ago
@MalteJ thank you for your issue. I don't think anything prevents you from using tls.RequireAndVerifyClientCert as your ClientAuth parameter in your http server. This project doesn't mandate anything with regard to tls configuration.
If using mutual auth (*http.Request) should have the TLS.PeerCertificates slice populated which would allow you to inspect the tls configuration used for the connection. It would be great if we could provide an example of showing how to take that information and put it into grpc metadata.
Would you be willing to contributing such an example?
I'm currently working on such a configuration as well. I started with the example code from https://github.com/philips/grpc-gateway-example (i.e. REST and gRPC share the same port). Please let me share my current problem because I'm not sure if I'm missing something:
There's this initialization call to
err := pb.RegisterEchoServiceHandlerFromEndpoint(ctx, gwmux, demoAddr, dopts)
With mutual TLS authentication the DialOptions dopts
now require a client certificate for the relay call to gRPC. My problem is that these are static options (i.e. they use a single, static client certificate) for the lifetime of the service.
However, I actually want to use the dynamic client certificate of the user who called the REST API endpoint for the internal grpc.Dial()
to the gRPC handler, too.
My current implementation works fine if I call the service via gRPC. Using the REST endpoint the mutual authentication works, too. However, the internal relay call to gRPC uses always the same client certificate.
Hi there,
I am facing the same problem.
I need to retrieve the client certificate infos from the rpc method but the internal call between the gateway and the grpc stub is done with the server certificate...
Is there a way to force the gateway to forward the client certificate to grpc ?
Thank you ;)
Is there a way to force the gateway to forward the client certificate to grpc ?
I am interested in this as well, any updates on this?
The gRPC gateway is it's own http server, so the only thing you can do is to use the same certificate for the gRPC gateway, unfortunately.
Same thing for the client side of things, it's its own http client, so while you could attach client certificate information to gRPC metadata, you can't forward the certificate itself.
Is there a way to force the gateway to forward the client certificate to grpc ?
I am interested in this as well, any updates on this?
Has anyone been able to do this with gRPC? I'm running into a similar issue - I want to secure calls into an API from an external known server via mTLS
Hi,
is there a way to do mutual TLS authentication between the client and grpc-gateway? I'd like to check if the client's public key is in a list or the certificate is signed by a specific CA and copy the client's name or the certificate's common name to grpc metadata. Sounds like a use case for some middleware, right?
Best, Malte