HTTP-level server-side authentication

[nodirt]

Is there a plan to support HTTP-level authentication, such as OAuth? The currently existing credentials.TransportAuthenticator supports transport-level authentication (works at net.Conn level). However in order to perform OAuth authentication, one needs access to HTTP headers ("Authorization" header).

[iamqizhao]

It has been supported (https://github.com/grpc/grpc-go/blob/master/credentials/oauth/oauth.go).

[nodirt]

oauth.go implements client-side oauth, while this bug is about server-side oauth. In other words, the code that reads "Authorization" HTTP header, communicates to an authority to verify the access token and puts a peer.Peer to the context.

[iamqizhao]

yup, some hook need to be added so that the token can be verified. We have not fleshed out the design. Do you have proposal here? :)

[nodirt]

Basically we need to be able to inject something like

type MetadataAuthenticator interface {
    // AuthFromMetadata validates metadata and returns AuthInfo.
    // May block.
    AuthFromMetadata(md metadata.MD) (AuthInfo, error)  
}

to grpc.Server, so it calls AuthFromMetadata with the metadata parsed from request headers. On success, puts AuthInfo to the peer.Peer in context. Otherwise reply with HTTP 401.

However, I am not sure

• whether this should happen sometime in the beginning of a HTTP2 request on every stream. Probably once.
• why credentials.TransportAuthenticator has to implement credentials.Credentials. GetRequestMetadata has nothing to do with server-side authentication. IMO this part of the design should be revisited, maybe client- and server- authentication should be split. To me grpc.Creds func is confusing (as a server owner, I want to check creds of clients, not provide creds) and should be renamed to something like Auth that accepts an interface for server-side authentication.

[iamqizhao]

Merging this to #240 which I am actively working on.