Call credentials or per-call authentication

[matze]

Feature Request

Motivation

In order to implement a self-contained CA, I would like to issue a client certificate via a gRPC endpoint (and verify the cert via a side channel). However, once client authentication is enabled, all endpoints have to be called with a client certificate. Excluding certain calls from authentication or having call credentials would allow me to implement that.

Proposal

I am not in a position to say if it's these proposals are possible or not but I'd see it like this:

• Either annotate calls with a macro to opt in or out of client authentication or
• add an option that allows me to do the cert validation inside the call (and thus opt out if I deem so)

Alternatives

I could start a separate non-authenticated server that just issues certificates but that is annoying because of the second port, sharing the cert information with the actual server etc.

[LucioFranco]

I believe this would require configuring how we apply rustls and I am not an expert there. I would recommend looking through how you might approach this without tonic with a tcp/http stream. That solution should then be applicable to tonic.

[dufkan]

I believe this is solved by https://github.com/hyperium/tonic/pull/1163.

[matze]

Thanks! I will check once a release is made.