gRPC Java JWT support
Library that helps with authenticated communication in gRPC-Java based applications. It uses JSON Web Token transported in Authorization
header (as Bearer rawJWT
).
Implementation of standard CallCredentials
ensures that the header is sent, and ServerInterceptor
ensures that the incoming header is valid and makes the parsed JWT available for the underlying code.
<dependency>
<groupId>com.avast.grpc.jwt</groupId>
<artifactId>grpc-java-jwt</artifactId>
<version>$latestVersion</version>
</dependency>
compile "com.avast.grpc.jwt:grpc-java-jwt:$latestVersion"
This base library contains a code that is not tied to any specific JWT implementation. So it requires instances of JwtTokenProvider interface (for client) and JwtTokenParser (for server) to work.
Keycloak support
There are implementations of the core interfaces for Keycloak.
<dependency>
<groupId>com.avast.grpc.jwt</groupId>
<artifactId>grpc-java-jwt-keycloak</artifactId>
<version>$latestVersion</version>
</dependency>
compile "com.avast.grpc.jwt:grpc-java-jwt-keycloak:$latestVersion"
Configuration defaults can be found here. It uses HOCON and Lightbend Config.
Client usage
This ensures that each call contains Authorization
header with Bearer
prefixed Keycloak access token (as JWT).
import com.avast.grpc.jwt.keycloak.client.KeycloakJwtCallCredentials;
KeycloakJwtCallCredentials callCredentials = KeycloakJwtCallCredentials.fromConfig(yourConfig);
YourService.newStub(aChannel).withCallCredentials(callCredentials);
Server usage
This ensures that only requests with valid JWT
in Authorization
header are processed.
import io.grpc.ServerServiceDefinition;
import com.avast.grpc.jwt.keycloak.server.KeycloakJwtServerInterceptor;
KeycloakJwtServerInterceptor serverInterceptor = KeycloakJwtServerInterceptor.fromConfig(yourConfig);
ServerServiceDefinition interceptedService = ServerInterceptors.intercept(yourService, serverInterceptor);
// read token in a gRPC method implementation
import org.keycloak.representations.AccessToken;
AccessToken accessToken = serverInterceptor.AccessTokenContextKey.get();
There is also this integration test that can serve as nice example.
Implementation notes
On the client side, there is implementation of CallCredentials
that ensures the JWT token is correctly stored to the headers. Just call a static method on JwtCallCredentials - it will require an instance of a JwtTokenProvider (an interface that returns encoded JWT).
On server side, there is ServerInterceptor
implementation that parses the incoming JWT and verifies it. JwtServerInterceptor requires an instance of JwtTokenParser - it's an interface that parses and verifies the JWT.
About gRPC internals
gRCP uses terms Metadata
and Context keys
. Metadata
is set of key-value pairs that are transported between client and server, et vice versa. So it's like HTTP headers.
On other hand, Context key
is set of values that are available during request processing. By default, a Storage
implementation based on ThreadLocal
is used. Thanks to this, you can just call get()
method on a Context key and you immediately get the value because it read the value from Context.current()
.
So when implementing interceptors, you must be sure that you read Context values from the right thread. It's actually no issue for us because:
- The right thread is automatically handled by gRPC-core when using
CallCredentials
. So you can callapplier.apply()
method on any thread. - Our
ServerInterceptor
implementation handles it correctly.