Is it possible to do Mutual TLS(or client certificate authentication) in grpc-web against a grpc java server?

[umapriyadarsi]

Put simply I want to know if I can have a frontend using grpc in javascript and be compatible with client certificate authentication against a grpc java server as documented here in grpc-java's SECURITY.md ?

[sampajano]

Hi :)

I'm assuming you're talking about a browser environment?

As far as i understand, i don't think something like specifying a SSL certificate is possible in a browser environment.. (usually auth are done using HTTP headers etc.)

But if you're asking about a Node server then i'm not really sure.. But at least there isn't any code in the grpc-web JS library that knows how to handle SSL certs..

Hope that answers your question.. :)

[umapriyadarsi]

@sampajano thanks for that. Two more questions please:

• is mutual TLS in the roadmap at least for gRPC-Web?
• Will gRPC-Web ever work without a proxy?

FYI, for my user facing application I wanted to use browser but because of the above two known limitations in gRPC-Web I couldn't opt for gRPC-Web.

[sampajano]

is mutual TLS in the roadmap at least for gRPC-Web?

No sorry it's not currently. Do you have any pointers to how to possibly do that from the browser? It's new to me entirely.. :)

Will gRPC-Web ever work without a proxy?

Also not likely.. AFAIU this is because browsers do not provide the HTTP/2 APIs (e.g. framing) needed by the native gRPC protocol. See documentation on the grpc-web protocol for more details.

FYI, for my user facing application I wanted to use browser but because of the above two known limitations in gRPC-Web I couldn't opt for gRPC-Web.

Yeah understood. Sorry for the current limitations :)