Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Call credentials or per-call authentication #687

Closed
matze opened this issue Jun 21, 2021 · 3 comments · Fixed by #1337
Closed

Call credentials or per-call authentication #687

matze opened this issue Jun 21, 2021 · 3 comments · Fixed by #1337

Comments

@matze
Copy link
Contributor

matze commented Jun 21, 2021

Feature Request

Motivation

In order to implement a self-contained CA, I would like to issue a client certificate via a gRPC endpoint (and verify the cert via a side channel). However, once client authentication is enabled, all endpoints have to be called with a client certificate. Excluding certain calls from authentication or having call credentials would allow me to implement that.

Proposal

I am not in a position to say if it's these proposals are possible or not but I'd see it like this:

  • Either annotate calls with a macro to opt in or out of client authentication or
  • add an option that allows me to do the cert validation inside the call (and thus opt out if I deem so)

Alternatives

I could start a separate non-authenticated server that just issues certificates but that is annoying because of the second port, sharing the cert information with the actual server etc.

@LucioFranco
Copy link
Member

I believe this would require configuring how we apply rustls and I am not an expert there. I would recommend looking through how you might approach this without tonic with a tcp/http stream. That solution should then be applicable to tonic.

dufkan added a commit to dufkan/tonic that referenced this issue Nov 26, 2022
Previously there were only two options for client authentication –
either no authentication or mandatory authentication. With this change,
a server can allow for optional authentication with a given root CA
certificate and enforce client authentication on a per-request basis.

Refs: hyperium#687
dufkan added a commit to dufkan/tonic that referenced this issue Nov 28, 2022
Previously there were only two options for client authentication –
either no authentication or mandatory authentication. With this change,
a server can allow for optional authentication with a given root CA
certificate and enforce client authentication on a per-request basis.

Refs: hyperium#687
dufkan added a commit to dufkan/tonic that referenced this issue Feb 15, 2023
Previously there were only two options for client authentication –
either no authentication or mandatory authentication. With this change,
a server can allow for optional authentication with a given root CA
certificate and enforce client authentication on a per-request basis.

Refs: hyperium#687
dufkan added a commit to dufkan/tonic that referenced this issue Feb 15, 2023
Previously there were only two options for client authentication –
either no authentication or mandatory authentication. With this change,
a server can allow for optional authentication with a given root CA
certificate and enforce client authentication on a per-request basis.

Refs: hyperium#687
LucioFranco added a commit that referenced this issue Feb 16, 2023
* feat(tls): add an option for optional TLS client authentication

Previously there were only two options for client authentication –
either no authentication or mandatory authentication. With this change,
a server can allow for optional authentication with a given root CA
certificate and enforce client authentication on a per-request basis.

Refs: #687

* Update tonic/src/transport/server/tls.rs

---------

Co-authored-by: Lucio Franco <[email protected]>
@dufkan
Copy link
Contributor

dufkan commented Feb 26, 2023

I believe this is solved by #1163.

@matze
Copy link
Contributor Author

matze commented Feb 27, 2023

Thanks! I will check once a release is made.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants