Implement JWT token-based authentication

Context

This issue is part of the effort towards OAUTH2 authentication support.

Task Description

• Extract and validate JWT token from client requests.
• Reject calls for invalid tokens.

Acceptance Criteria

• Any non-authenticated calls are rejected.

mentioned in issue #133 (closed)

marked this issue as related to #133 (closed)

created branch mablanch/144-jwt-authentication

It seems like the server side AuthMetadataProcessor available in C++ is not exposed by the gRPC Python package.

Thus, we'll have to write our own interceptor that will extract the JWT token from the requests metadata, validate it and populate the AuthContext with authentication data. We probably want some caching involved in order to avoid validating the same token on each request.

Note: service-side interceptor are experimental API.

Does that match what you had in mind @jbonney?

I guess we will have to agree on a metadata header key name for the JWT token as well.

I think that's a good breakdown. We certainly could do some caching, although I'm not sure how much efficiency it would buy us. You would save on the cost of verifying the token (a hash operation), but would need to add the storage/expiry cost. It's recommended to keep access tokens short lived, especially when they are JWTs.

I believe the standard is to use 'Authorization' header, with value 'Bearer ', based on this RFC: https://tools.ietf.org/html/rfc6750#section-2.1

I believe the standard is to use 'Authorization' header, with value 'Bearer ', based on this RFC: https://tools.ietf.org/html/rfc6750#section-2.1

I guess I should have read the RFC first instead of digging into the google-auth implementation... Thanks!

added 1 deleted label

changed milestone to %Sprint 3

We also need to decide what the server should return to the client in case of authentication failures. My understanding is that it would be nice if clients were able to distinguish expired token failures from other auth. failures for token renewal.

Here is the WIP code for the interceptor. The obvious status code for auth. failure would be UNAUTHENTICATED. Maybe we could use a different one for expired tokens, not sure which one though...

mentioned in merge request !128 (merged)

marked this issue as related to #147 (closed)

mentioned in commit 4697354e

mentioned in commit 7e33f586

mentioned in commit dd6afa28

mentioned in commit b963c4f1

mentioned in commit 2c2b6b61

mentioned in commit 59db55a8

mentioned in commit 33b82765

mentioned in commit 34a95646

mentioned in commit f706d301

mentioned in commit 9f16fe87

mentioned in commit 3eaaa391

mentioned in commit 7e7d452c

mentioned in commit 659978ce

mentioned in commit a0940b84

mentioned in commit 74c22a1a

mentioned in commit 431f763e

mentioned in commit 3dbb6197

mentioned in commit 044becca

mentioned in commit 906e7d9d

mentioned in commit d9319725

mentioned in commit 60ebc66b

mentioned in commit 18772757

mentioned in commit e810f258

mentioned in commit b83de8b5

mentioned in commit c3f3d36d

mentioned in commit 023075e5

mentioned in commit c6f92e78

mentioned in commit 8eaa1f3e

mentioned in commit 8f38d12c

mentioned in commit db7678b4

mentioned in commit 120b8458

mentioned in commit 09395598

mentioned in commit ff3cd0a2

mentioned in commit b1d181b9

mentioned in commit 592b86ab

mentioned in commit 2bbbe72b

mentioned in commit 1ac4fdf3

mentioned in commit 486bb1f6