Add Authentication support

Question

Add Authentication support

vdshb opened this issue 2 months ago · comments

This is basically a proposal to design and add an authentication support for RPC calls.

Michael Rittmeister · Answer 1 · Fri May 24 2024 18:54:39 GMT+0800 (China Standard Time)

I actually tried using this project to replace my previous approach using Ktor resources, however, this is indeed a blocker for me, whilst it would be possible to implement basic authentication (basic authentication features, not specifically http basic auth) using Ktors interceptors (when using ktor transport) I can't get the user, which started an RPC call.

I think the biggest issue is adding some sort of context parameter to the function call, since adding an extra parameter to every function in the interface is kinda ugly, maybe we could use a CoroutineContextElement?

Alexander Sysoev · Answer 2 · Mon May 27 2024 23:41:57 GMT+0800 (China Standard Time)

Hi!
I terms of Ktor integration (and thus kRPC protocol) - what we can do is pass WebSocketSession that created an instance of a service to that service.
Another approach with Ktor would be adding protected routes, which you can do already.
If you want to have authentication without binding to Ktor, I'd say kRPC protocol would not be able to do it yet. We are working on a more general approach, reviewing the questions like how to do it, or do we need it at all?
Please, add more of your use-cases here, it will greatly help us with the further improvement

Michael Rittmeister · Answer 3 · Tue May 28 2024 01:48:50 GMT+0800 (China Standard Time)

I did not realize, that all requests go through the websocket in my previous reply, so I did not realize passing the session is an option. Protected routes won't work for me, since I need to know the user making the call, but I could pass some query param to the websocket session like you suggested.

A non ktor approach is not needed for me rn, but others might want to do it with gRPC

Alexander Sysoev · Answer 4 · Tue May 28 2024 02:03:38 GMT+0800 (China Standard Time)

Ok, we will look into providing a way to access session then, thank you for the suggestion!

Alexander Sysoev · Answer 5 · Thu Jun 20 2024 15:14:59 GMT+0800 (China Standard Time)

Hi, again!
I started working on this, and realized that you already can access WebSocketSession on a server using rpc route context like this:

rpc("/my-rpc-endpoint") {
    val rpcRoute: RPCRoute = this // where RPCRoute is DefaultWebSocketServerSession
    val call: ApplicationCall = call // example accessing sessions's properties
}

This can not be done on a client however, so I would add this support