使用gRPC的基于定制通道的身份验证
如何在dotnet中使用gRPC进行简单的通道身份验证?
How can I do simple channel authentication with gRPC in dotnet?
我想在通道连接期间仅传递客户端计算机名称和客户端服务名称,并且然后能够一次将它们发送到服务器中,以识别请求来自何处。
I want to pass just the client machine name and the client service name during the channel connection, and then be able of getting those in the server once, as a way of identifying where are the request coming from.
我不想在每次调用中将它们作为元数据传递,并且我不想为此实现其他方法。我一直在看文档,并尝试实现一些抽象类,例如 ServerCredentials ,但是由于某些内部原因,即使有可能,我也看不到怎么办
I do not want to pass them as metadata in every call, and I do not want to implement an additional method for that. I have been taking a look to the documentation and trying to implement some abstract classes like ServerCredentials but I do not see how it would be done neither if it is even possible due some internal classes.
我当然不想为此使用SSL证书,也不想使用OAuth2。
Of course I do not want to use SSL certs for this, neither OAuth2.
验证元数据中的数据
在元数据中传递它们是一个很好的解决方案。看看 hpack 。您的标头将被压缩,仅占用几个字节。
Auth Data in Metadata
Passing them in metadata one good solution. Take a look at hpack. Your header will be compressed, will take only a few bytes.
您无法将您的身份验证数据绑定到通道,因为在HTTP / 2中无法保证,相同的TCP通道将用于后续调用。
You cannot bind your auth data to the channel, as it is not guaranteed in HTTP/2, that the same TCP channel will be used for subsequent calls.
也就是说,我仍在等待GRPC Java团队针对基于元数据的自定义身份验证提供适当的示例。
That said, I am still waiting for a proper example form the GRPC java team on Metadata based custom authentication.
基于流的身份验证也是一种选择,如果您想在后续调用之间保存身份验证数据相同的API。在我的解释中,这意味着您仅必须在流的开头传递身份验证数据。然后,您的StreamObserver可以保存身份验证数据,并在随后的 onNext()调用中重复使用。我使用这种方法,效果很好。
Stream-based authentication is also an option in case you want to save auth data between subsequent calls of the same API. In my interpretation this it means, that you have to pass authentication data only in the beginning of a stream. Your StreamObserver can then save the authentication data and reuse it in subsequent onNext() calls. I use this approach, it works really well.
示例
service MyService {
rpc myFunction(stream MyMessage) returns (stream MyResponse)
}
message MyMessage {
string user = 1;
string password = 2;
int32 myMessageVariable = 3;
}
用户/密码只能在前一个中设置在。 requestObserever 上调用onNext(myMessage)
这实际上也很有效,因为在线上流由StreamId表示,StreamId是一个字节(取决于您同时打开了多少个流)。
user / password should only be set in the first onNext(myMessage) call on the requestObserever.
This is also really efficient, because on the wire the stream is represented by the StreamId which is a single byte (depending on how many streams you have open at the same time).