gRPC Java JWT

JWT based authentication for gRPC-Java

License

License

Categories

Categories

KeY Data Data Formats Formal Verification gRPC Net Networking Keycloak Security
GroupId

GroupId

com.avast.grpc.jwt
ArtifactId

ArtifactId

keycloak
Last Version

Last Version

0.4.9
Release Date

Release Date

Type

Type

pom.sha512
Description

Description

gRPC Java JWT
JWT based authentication for gRPC-Java
Project URL

Project URL

https://github.com/avast/grpc-java-jwt
Source Code Management

Source Code Management

https://github.com/avast/grpc-java-jwt

Download keycloak

Dependencies

compile (4)

Group / Artifact Type Version
com.avast.grpc.jwt : core jar 0.4.9
org.keycloak : keycloak-admin-client jar 12.0.4
org.bouncycastle : bcprov-jdk15on jar 1.68
com.typesafe : config jar 1.4.1

Project Modules

There are no modules declared in this project.

gRPC Java JWT support Build Version

Library that helps with authenticated communication in gRPC-Java based applications. It uses JSON Web Token transported in Authorization header (as Bearer rawJWT).

Implementation of standard CallCredentials ensures that the header is sent, and ServerInterceptor ensures that the incoming header is valid and makes the parsed JWT available for the underlying code.

<dependency>
  <groupId>com.avast.grpc.jwt</groupId>
  <artifactId>grpc-java-jwt</artifactId>
  <version>$latestVersion</version>
</dependency>
compile "com.avast.grpc.jwt:grpc-java-jwt:$latestVersion"

This base library contains a code that is not tied to any specific JWT implementation. So it requires instances of JwtTokenProvider interface (for client) and JwtTokenParser (for server) to work.

Keycloak support

There are implementations of the core interfaces for Keycloak.

<dependency>
  <groupId>com.avast.grpc.jwt</groupId>
  <artifactId>grpc-java-jwt-keycloak</artifactId>
  <version>$latestVersion</version>
</dependency>
compile "com.avast.grpc.jwt:grpc-java-jwt-keycloak:$latestVersion"

Configuration defaults can be found here. It uses HOCON and Lightbend Config.

Client usage

This ensures that each call contains Authorization header with Bearer prefixed Keycloak access token (as JWT).

import com.avast.grpc.jwt.keycloak.client.KeycloakJwtCallCredentials;

KeycloakJwtCallCredentials callCredentials = KeycloakJwtCallCredentials.fromConfig(yourConfig);
YourService.newStub(aChannel).withCallCredentials(callCredentials);

Server usage

This ensures that only requests with valid JWT in Authorization header are processed.

import io.grpc.ServerServiceDefinition;
import com.avast.grpc.jwt.keycloak.server.KeycloakJwtServerInterceptor;

KeycloakJwtServerInterceptor serverInterceptor = KeycloakJwtServerInterceptor.fromConfig(yourConfig);
ServerServiceDefinition interceptedService = ServerInterceptors.intercept(yourService, serverInterceptor);

// read token in a gRPC method implementation
import org.keycloak.representations.AccessToken;
AccessToken accessToken = serverInterceptor.AccessTokenContextKey.get();

There is also this integration test that can serve as nice example.

Implementation notes

On the client side, there is implementation of CallCredentials that ensures the JWT token is correctly stored to the headers. Just call a static method on JwtCallCredentials - it will require an instance of a JwtTokenProvider (an interface that returns encoded JWT).

On server side, there is ServerInterceptor implementation that parses the incoming JWT and verifies it. JwtServerInterceptor requires an instance of JwtTokenParser - it's an interface that parses and verifies the JWT.

About gRPC internals

gRCP uses terms Metadata and Context keys. Metadata is set of key-value pairs that are transported between client and server, et vice versa. So it's like HTTP headers.

On other hand, Context key is set of values that are available during request processing. By default, a Storage implementation based on ThreadLocal is used. Thanks to this, you can just call get() method on a Context key and you immediately get the value because it read the value from Context.current().

So when implementing interceptors, you must be sure that you read Context values from the right thread. It's actually no issue for us because:

  1. The right thread is automatically handled by gRPC-core when usingCallCredentials. So you can call applier.apply() method on any thread.
  2. Our ServerInterceptor implementation handles it correctly.
com.avast.grpc.jwt

Avast

https://avast.github.io

Versions

Version
0.4.9