Examples: Add a JWT authentication example by anarsultanov · Pull Request #5915 · grpc/grpc-java

anarsultanov · 2019-06-21T08:54:07Z

thelinuxfoundation · 2019-06-21T08:54:09Z

Thank you for your pull request. Before we can look at your contribution, we need to ensure all contributors are covered by a Contributor License Agreement.

After the following items are addressed, please respond with a new comment here, and the automated system will re-verify.

User @anarsultanov isn't covered by a CLA. They will need to complete the form at https://identity.linuxfoundation.org/projects/cncf

Regards,
CLA GitHub bot

dapengzhang0 · 2019-08-07T17:39:20Z

ping reviewers

dapengzhang0 · 2019-08-26T21:14:02Z

@sanjaypujare @ejona86 ping

linux-foundation-easycla · 2019-08-29T13:45:44Z

The committers are authorized under a signed CLA.

✅ Anar Sultanov (cd8ae0a, 3b8516c, feaf962, 1c7989c)

anarsultanov · 2019-09-06T09:47:08Z

@dapengzhang0 @sanjaypujare @ejona86 all comments are resolved. Anything else?

sanjaypujare · 2019-09-06T17:09:05Z

I haven't finished my review yet. Give me another day - sorry about the delay

sanjaypujare

This LGTM. But chatting with @ejona86 it looks like he has some comments/questions so I would wait for his comments before merging this.

sanjaypujare · 2019-09-16T23:43:17Z

This LGTM. But chatting with @ejona86 it looks like he has some comments/questions so I would wait for his comments before merging this.

Ping @ejona86

anarsultanov · 2019-12-03T09:40:15Z

@ejona86 any plans to review / merge this?

ejona86

Some fairly easy changes, necessary, but otherwise LGTM. I'm most concerned about the BearerToken comment, since I've seen far too much code pass around plain jwt/oauth tokens without a way to refresh, and I don't want to inadvertently encourage that behavior.

ejona86 · 2020-03-12T20:49:25Z

+    HelloRequest request = HelloRequest.newBuilder().setName(name).build();
+
+    String jwt = getJwt(clientId); // build JWT
+    CallCredentials credentials = new BearerToken(jwt); // Wrap JWT in CallCredentials


The call credential should be responsible for making sure the JWT is valid, so building the JWT should really be part of the CallCredential, so that it can be re-created automatically before it expires. I see there is no expiration involved here, so maybe a comment here is enough. But given how simple getJwt() is, it seems much better to move that into the CallCredential and rename it to be JwtCredential or some such (just passing the clientId). (Feel free to create the JWT in the constructor.)

I accept that something like BearerToken is appropriate at times, but it's not something that is best copied for the majority of cases.

ejona86 · 2020-03-12T20:56:21Z

+            .withValue(Constant.CLIENT_ID_CONTEXT_KEY, claims.getBody().getSubject());
+        return Contexts.interceptCall(ctx, serverCall, metadata, serverCallHandler);
+      } catch (Exception e) {
+        status = Status.UNAUTHENTICATED.withDescription(e.getMessage()).withCause(e);


This error handling worries me. I'd feel much better if this try did not include Contexts.interceptCall(), since that will be arbitrary code and there is no telling if the exception message strings may leak inappropriate information.

I'd also be more comfortable if catch just caught JwtException (or MalformedJwtException+SignatureException+ExpiredJwtException).

ejona86 · 2020-03-12T20:58:51Z

+      }
+    }
+
+    serverCall.close(status, metadata);


s/metadata/new Metadata()/

Using metadata will echo back the request metadata, which isn't appropriate.

creamsoup

LGTM

voidzcy · 2020-03-17T22:36:02Z

I updated this PR according to @ejona86's comment (last three commits). PTAL.

creamsoup · 2020-03-17T23:03:51Z

I updated this PR according to @ejona86's comment (last three commits). PTAL.

LGTM i think it is ready to merge!

creamsoup · 2020-03-18T00:45:00Z

finally it is merged, thanks @anarsultanov. This will help our users a lot!

Examples: Add a JWT authentication example

cd8ae0a

dapengzhang0 reviewed Jun 21, 2019

View reviewed changes

Comment thread examples/build.gradle Outdated

anarsultanov force-pushed the #5665-authentication-example branch 2 times, most recently from 8f238cd to c8a7842 Compare June 22, 2019 15:26

Examples: Move the JWT authentication example to a separate directory

3b8516c

anarsultanov force-pushed the #5665-authentication-example branch from c8a7842 to 3b8516c Compare June 23, 2019 10:38

dapengzhang0 reviewed Jun 26, 2019

View reviewed changes

dapengzhang0 requested a review from sanjaypujare June 26, 2019 20:01

Examples: Make requested changes to JWT authentication example

feaf962

dapengzhang0 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Jul 2, 2019

grpc-kokoro removed kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run labels Jul 2, 2019

dapengzhang0 requested a review from ejona86 July 2, 2019 20:25

sanjaypujare reviewed Aug 27, 2019

View reviewed changes

Comment thread examples/example-jwt-auth/README.md Outdated

sanjaypujare reviewed Aug 27, 2019

View reviewed changes

Comment thread examples/example-jwt-auth/README.md Outdated

Examples: Rename package and update README

1c7989c

dapengzhang0 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Sep 6, 2019

grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Sep 6, 2019