protoc-gen-authenticate ๐ก๏ธ
protoc-gen-authenticate is an innovative protoc plugin and library ๐ designed to simplify and secure gRPC request
authentication.
It seamlessly integrates authentication providers directly within your proto files ๐, reducing the need to clutter your
application code with complex authentication logic.
Perfect for developers ๐จโ๐ป๐ฉโ๐ป looking to streamline their security workflows in gRPC applications.
In this README, you'll find easy installation instructions ๐ฅ, examples ๐ก, and all you need to harness the power of
expression-based rules for robust and efficient request handling ๐ผ.
Features
- Generated code can be used with Unary and Stream interceptors in
github.com/autom8ter/protoc-gen-authenticate/authenticator
- Highly configurable JWT authentication
- Supports multiple authentication providers
- Support for Remote JWKS (JSON Web Key Set) endpoints
- Support for different providers based on environment
Installation
The plugin can be installed with the following command:
go install github.com/autom8ter/protoc-gen-authenticate
Code Generation
buf.gen.yaml example:
version: v1
plugins:
- plugin: buf.build/protocolbuffers/go
out: gen
opt: paths=source_relative
- plugin: buf.build/grpc/go
out: gen
opt:
- paths=source_relative
- plugin: authenticate
out: gen
opt:
- paths=source_relative
Example
// GoogleService service is an example of how to authenticate with Google's OAuth2 service
service GoogleService {
option (authenticate.config) = {
environment: "TEST"
providers: [{
name: "google",
jwt: {
algorithm: RS256,
jwks_uri: "https://www.googleapis.com/oauth2/v3/certs",
issuer: "https://accounts.google.com",
audience: "https://example.com",
require_claims: ["email_verified", "email"],
},
}]
whitelist_methods: ["Login"]
};
rpc Login(google.protobuf.Empty) returns (google.protobuf.Empty);
rpc Logout(google.protobuf.Empty) returns (google.protobuf.Empty);
}
service PrivateService {
option (authenticate.config) = {
environment: "TEST"
whitelist_methods: ["Unauthenticated"]
providers: [
{
name: "custom",
jwt: {
algorithm: HS256,
secret_env: "JWT_DEV_SECRET",
}
}
]
};
option (authenticate.config) = {
// only enabled when GRPC_AUTH=PROD env var is set
environment: "PROD"
whitelist_methods: ["Unauthenticated"]
providers: [{
name: "custom",
jwt: {
algorithm: HS256,
secret_env: "JWT_PROD_SECRET",
}
}]
};
rpc RequireAuthentication(google.protobuf.Empty) returns (google.protobuf.Empty);
rpc Unauthenticated(google.protobuf.Empty) returns (google.protobuf.Empty);
}
// create a new authenticator from the generated function(protoc-gen-authenticate)
auth, err := example.NewAuthentication("TEST")
if err != nil {
return err
}
// create a new grpc server with the authorizer interceptors
srv := grpc.NewServer(
grpc.UnaryInterceptor(
grpc_auth.UnaryServerInterceptor(auth),
),
grpc.StreamInterceptor(
grpc_auth.StreamServerInterceptor(auth),
),
)
See example for the full example.