
Show HN: Two grpc microservices with mutual TLS and token authentication in Go - enricofoltran
https://github.com/enricofoltran/hello-auth-grpc
======
fulafel
How does the authentication work, what is authenticated and how are secrets or
public keys used to accomplish it?

~~~
enricofoltran
Hi fulafel, sorry for my late response.

In this example we have two servers (hello-server and auth-server) and their
respective clients (hello-client and auth-client).

The client-server communication is achieved using gRPC, a RPC framework that
enstabish a bi-directional stream between the parties. gRPC use http/2 as the
transport protocol and protocol buffer as serialization format.

The communication is secured using TLS. By default the TLS protocol only
proves the identity of the server to the client (server-side authentication),
however in this example the server require the client to provide its own
certificated to proves its identity (client-side authentication). In this way
we have mutual authetication (or two-way authentication); two parties
authenticating each other at the same time.

The mutual authentication is achieved by generating a certificate (and a
private key) for each server and (potentially) one for each client (in this
case clients share the same certificate). Certificates are signed by a common
trusted certificate authority and can be validated on each side.

In this example the auth-server provide token based authentication as a
service for the hello-server. This is done by let the user login to the auth-
server, using the auth-client, by providing username and password. Once the
auth-server as determined the identity of the user, it generate a JWT token an
sign it with a dedicated private key, then send it back to che auth-client
which store it on the user's disk.

When the user use the hello-client to communicate with the hello-server the
client load the token from disk and pass it in the request. The hello-server
then validate the token signature with the corresponding public key.

Doing this allow servers to communicate in a secure way only with trusted
clients and only the auth-server can generate valid auth tokens, that can be
validated by other servers by sharing only the public key.

Thanks for your question, hope I answered. Sorry, english isn't my native
language. Bye!

------
tiuPapa
Sorry for straying off-topic, but what are the use cases for grpc?

~~~
cobookman
Microservice backends. And native app api servers.

Highly recommend over rest apis for anything with significant traffic.

The clients handle multiplexing over multiple threads. And avoiding a single
tcp connection per api call.

And the servers give you a great api / microservice framework that's not too
frameworky. It "just works" without magic.

------
gcristofol
Nicely done

