search

grpc-ecosystem / grpc-gateway

gRPC to JSON proxy generator following the gRPC HTTP spec
https://grpc-ecosystem.github.io/grpc-gateway/
BSD 3-Clause "New" or "Revised" License
17.69k stars 2.18k forks source link

docs: provide example of mutual TLS authentication #350

Open MalteJ opened 7 years ago

MalteJ commented 7 years ago

Hi,

is there a way to do mutual TLS authentication between the client and grpc-gateway? I'd like to check if the client's public key is in a list or the certificate is signed by a specific CA and copy the client's name or the certificate's common name to grpc metadata. Sounds like a use case for some middleware, right?

Best, Malte

tmc commented 7 years ago

@MalteJ thank you for your issue. I don't think anything prevents you from using tls.RequireAndVerifyClientCert as your ClientAuth parameter in your http server. This project doesn't mandate anything with regard to tls configuration.

If using mutual auth (*http.Request) should have the TLS.PeerCertificates slice populated which would allow you to inspect the tls configuration used for the connection. It would be great if we could provide an example of showing how to take that information and put it into grpc metadata.

Would you be willing to contributing such an example?

knweiss commented 6 years ago

I'm currently working on such a configuration as well. I started with the example code from https://github.com/philips/grpc-gateway-example (i.e. REST and gRPC share the same port). Please let me share my current problem because I'm not sure if I'm missing something:

There's this initialization call to 

err := pb.RegisterEchoServiceHandlerFromEndpoint(ctx, gwmux, demoAddr, dopts)

With mutual TLS authentication the DialOptions dopts now require a client certificate for the relay call to gRPC. My problem is that these are static options (i.e. they use a single, static client certificate) for the lifetime of the service.

However, I actually want to use the dynamic client certificate of the user who called the REST API endpoint for the internal grpc.Dial() to the gRPC handler, too.

My current implementation works fine if I call the service via gRPC. Using the REST endpoint the mutual authentication works, too. However, the internal relay call to gRPC uses always the same client certificate.

bleleve commented 6 years ago

Hi there,

I am facing the same problem.

I need to retrieve the client certificate infos from the rpc method but the internal call between the gateway and the grpc stub is done with the server certificate...

Is there a way to force the gateway to forward the client certificate to grpc ?

Thank you ;)

hexfusion commented 5 years ago

Is there a way to force the gateway to forward the client certificate to grpc ?

I am interested in this as well, any updates on this?

johanbrandhorst commented 5 years ago

The gRPC gateway is it's own http server, so the only thing you can do is to use the same certificate for the gRPC gateway, unfortunately.

johanbrandhorst commented 5 years ago

Same thing for the client side of things, it's its own http client, so while you could attach client certificate information to gRPC metadata, you can't forward the certificate itself.

EricJDev90 commented 4 months ago

Is there a way to force the gateway to forward the client certificate to grpc ?

I am interested in this as well, any updates on this?

Has anyone been able to do this with gRPC? I'm running into a similar issue - I want to secure calls into an API from an external known server via mTLS