Skip to content
This repository has been archived by the owner on Apr 9, 2021. It is now read-only.

Python client authentication example #768

Open
maged opened this issue Oct 23, 2018 · 6 comments
Open

Python client authentication example #768

maged opened this issue Oct 23, 2018 · 6 comments

Comments

@maged
Copy link

maged commented Oct 23, 2018
edited
Loading

The authentication docs cover server authentication, but not client authentication. Is it possible to add a client authentication example to the docs. Does it require using other flags in grpc.ssl_channel_credentials?
@carl-mastrangelo
Copy link

cc: @lidizheng

@lidizheng
Copy link

@maged In the doc, it provides example of TLS with Client Authentication which is default for gRPC, meaning both server and client should have certificates.

Or what you want is to perform the normal TLS without Client Authentication?

@lidizheng
Copy link

If you would like to enforce the client authentication, you can set the require_client_auth for your ssl_server_credentials. For more details, check the API Reference.

@maged
Copy link
Author

maged commented Oct 23, 2018

The solution I got to (which the API reference for ssl_channel_credentials was more helpful for) is to use these three flags:

    creds = grpc.ssl_channel_credentials(
            certificate_chain=cert_chain, private_key=cert_key, root_certificates=root_ca)

certificate_chain and private_key are the client's cert and private key that the server will verify. root_certificates is the root CA that the server will be verified against.

Might be useful to have this example in the docs as well.

@maged
Copy link
Author

maged commented Oct 23, 2018

Just to confirm, this only verifies that the client's certificate is signed by the root CA given, right? Is their anyway to verify the client CN against an expected CN?

@lidizheng
Copy link

@maged

Just to confirm, this only verifies that the client's certificate is signed by the root CA given, right?

Yes. It depends on your server's setting of require_client_auth. If you set it to True then the server will request and require client certificate and verify it, for more details. If you set it to False, the server won't request the certificate at all.

Is their anyway to verify the client CN against an expected CN?

Please check this unit test. The Python server handler will get a servicer_context where contains a servicer_context.auth_context(), you can access the verified expected CN from that. Generally speaking, it is quite hard for server to get precise CN for incoming client. But you can implement your verification logic in your handler.

Does that answer your question?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maged @lidizheng @carl-mastrangelo