Call credentials or per-call authentication #687
Comments
|
I believe this would require configuring how we apply rustls and I am not an expert there. I would recommend looking through how you might approach this without tonic with a tcp/http stream. That solution should then be applicable to tonic. |
dufkan
added a commit
to dufkan/tonic
that referenced
this issue
Nov 26, 2022
Previously there were only two options for client authentication – either no authentication or mandatory authentication. With this change, a server can allow for optional authentication with a given root CA certificate and enforce client authentication on a per-request basis. Refs: hyperium#687
dufkan
added a commit
to dufkan/tonic
that referenced
this issue
Nov 28, 2022
Previously there were only two options for client authentication – either no authentication or mandatory authentication. With this change, a server can allow for optional authentication with a given root CA certificate and enforce client authentication on a per-request basis. Refs: hyperium#687
dufkan
added a commit
to dufkan/tonic
that referenced
this issue
Feb 15, 2023
Previously there were only two options for client authentication – either no authentication or mandatory authentication. With this change, a server can allow for optional authentication with a given root CA certificate and enforce client authentication on a per-request basis. Refs: hyperium#687
dufkan
added a commit
to dufkan/tonic
that referenced
this issue
Feb 15, 2023
Previously there were only two options for client authentication – either no authentication or mandatory authentication. With this change, a server can allow for optional authentication with a given root CA certificate and enforce client authentication on a per-request basis. Refs: hyperium#687
LucioFranco
added a commit
that referenced
this issue
Feb 16, 2023
* feat(tls): add an option for optional TLS client authentication Previously there were only two options for client authentication – either no authentication or mandatory authentication. With this change, a server can allow for optional authentication with a given root CA certificate and enforce client authentication on a per-request basis. Refs: #687 * Update tonic/src/transport/server/tls.rs --------- Co-authored-by: Lucio Franco <luciofranco14@gmail.com>
|
I believe this is solved by #1163. |
|
Thanks! I will check once a release is made. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Request
Motivation
In order to implement a self-contained CA, I would like to issue a client certificate via a gRPC endpoint (and verify the cert via a side channel). However, once client authentication is enabled, all endpoints have to be called with a client certificate. Excluding certain calls from authentication or having call credentials would allow me to implement that.
Proposal
I am not in a position to say if it's these proposals are possible or not but I'd see it like this:
Alternatives
I could start a separate non-authenticated server that just issues certificates but that is annoying because of the second port, sharing the cert information with the actual server etc.
The text was updated successfully, but these errors were encountered: