Authentication per message instead of per call
Closed this issue · 3 comments
According to the gRPC specifications and the .NET gRPC support, the authentication and authorization support is on the HttpRequest/HttpContext level, i.e. the token based authentication is on the level of calls, whether the call is a Unary Request or a Streaming call.
However, due to performance considerations, a long lived bidirectional streaming call can be used either as some sort of a messaging mechanism, or as a request-response mechanism through some additional logic over the client and server streams.
In the bidirectional streaming scenario described above, considering every message is sent on behalf of a different user identity, what would be the recommendation for authenticating every message in the stream as if it was a separate request of its own?
Is this a widespread scenario that we have here, or are there better alternatives than sharing the same streaming call for different user identities? Are there any guidelines for such a scenario? Will there be support for per message authentication instead of per call authentication we currently have with .NET gRPC?
There isn't any support for this and there are no plans to add it.
You'll need to add per-message auth yourself.
@JamesNK, I see, that was the assumption
Would you be able to help us with the following question though?
Per-call - we have ServerCallContext, thus if needed, we can use the underlying HttpContext as needed to store some custom per-call data.
Do we have per-message concept that would be similar? I.e. we want to put some additional information (auth result) for the message using our custom interceptor, which would be doing auth for the message.
The only place I see is the generated Protobuf types for the messages themselves, where we would need to hook in using our own partial implementations of the same types.
Would you know of any other place we would be able to put per-message contextual information?
Even if there is nothing of this sort, what would be your recommendation on implementing something that would help us have a per-message context?
Any per-message auth information must be on the message.