gRPC; Authentication; Developer Week SF; security; Auth0; JWT; OAuth2; SSL: TLS; Authorization; Python; Hello World

1. Understanding gRPC
Authentication Methods
Developer Week SF 2018
Anthony Chow
Cephas Security Solutions
Auth0 Ambassador | VMware vExpert
Feb 7, 2018
Twitter: @vCloudernBeer

2. Image source: https://github.com/cncf/landscape

3. Image source: https://github.com/cncf/landscape

4. Image source: https://katacontainers.io/img/kata-explained1-thumb@2x.png

5. What is gRPC?
 gRPC can be summarized as protocol buffers running
over HTTP/2 with multiple programming language
support.
Image source: grpc.io

6. Protocol Buffer
 Protocol buffer is one form of Interface Definition
Language for structured data serialization and de-
serialization between two parties and are transmitted
over a network in binary forms.
Image source: Google gRPC meetup kit

7. Install Protobuf 3 on
Ubuntu 16.04
• curl -OL
https://github.com/google/protobuf/releases/download/v3
.5.0/protoc-3.5.0-linux-x86_64.zip
• unzip protoc-3.5.0-linux-x86_64.zip -d protoc3
• sudo mv protoc3/bin/* /usr/local/bin/
• sudo mv protoc3/include/* /usr/local/include/

8. Service Definition
source: Google gRPC meetup kit

9. HTTP/2
 Hypertext Transfer Protocol Version 2 (HTTP/2) is
defined by RFC 7540 aimed at providing better
performance for HTTP traffics with bi-directional
streaming and flow control on a single TCP connection.
Source: Google gRPC meetup kit

10. Multi-language Support
Image source: Google gRPC meetup kit

11. gRPC Conceptssource: https://grpc.io/docs/guides/concepts.html
 Service Definition
 Using the API surface
 Synchronous vs asynchronous
 RPC life cycle
o Unary
o Client Streaming
o Server Streaming
o Bi-directional Streaming
 Deadlines/Timeouts
 RPC termination
 Cancelling RPCs
 Metadata
 Channels

12. Ruby Service
gRPC
server Go Service
gRPC
server
gRPC
Stub
Java Service
gRPC
Stub
Python Service
gRPC
server
gRPC
Stub
Multi-language supportsource: Google gRPC meetup kit

13. gRPC Request and Response
source: grpc.io

14. Who uses gRPCsource: Google gRPC meetup kit

15. Resource for gRPCsource: Google gRPC meetup kit
Documentation and Code
● http://www.grpc.io/
● https://github.com/grpc
● https://github.com/grpc-ecosystem
Help and Support
● https://gitter.im/grpc/grpc
● https://groups.google.com/forum/#!forum/grpc-io

16. Getting started with gRPC
 https://grpc.io/docs/quickstart/
 https://grpc.io/docs/tutorials/basic/python.html
1. Define the gRPC service and the method request and
response types using protocol buffers
2. Generate the gRPC client and server interfaces from your
.proto service definition.
3. Create the server
4. Create the client

17. gRPC frame format
• Wireshark demo

18. Authentication vs
Authorization
 Authentication – determine who you claim to be by the
credential you provide.
o Something you have – smart token device
o Something you know - password
o Something you are – fingerprint
 Authorization – based on user credential grant access
to resource
o Read-Write
o Read only
o Delete

19. gRPC built-in
Authentication Methods
 SSL/TLS
 Token-based authentication with Google
o JWT
o OAuth Access Token
 Credentials plugin API - allows developers to plug in their
own type of credentials

20. Credential Types
 Channel credential
 Call credential

21. Base case - No encryption
or authentication
import grpc
import helloworld_pb2
channel = grpc.insecure_channel('localhost:50051')
stub = helloworld_pb2.GreeterStub(channel)

22. With server
authentication SSL/TLS
import grpc
import helloworld_pb2
creds = grpc.ssl_channel_credentials(open('roots.pem').read())
channel = grpc.secure_channel('myservice.example.com:443',
creds)
stub = helloworld_pb2.GreeterStub(channel)

23. Authenticate with Google
using a JWT
import grpc
import helloworld_pb2
from google import auth as google_auth
from google.auth import jwt as google_auth_jwt
from google.auth.transport import grpc as google_auth_transport_grpc
credentials, _ = google_auth.default()
jwt_creds = google_auth_jwt.OnDemandCredentials.from_signing_credentials(
credentials)
channel = google_auth_transport_grpc.secure_authorized_channel( jwt_creds,
None,
'greeter.googleapis.com:443')
stub = helloworld_pb2.GreeterStub(channel)

24. Authenticate with Google
using an OAuth2 token
import grpc
import helloworld_pb2
from google import auth as google_auth
from google.auth.transport import grpc as google_auth_transport_grpc
from google.auth.transport import requests as google_auth_transport_requests
credentials, _ = google_auth.default(scopes=(scope,))
request = google_auth_transport_requests.Request()
channel = google_auth_transport_grpc.secure_authorized_channel(
credentials,
request,
'greeter.googleapis.com:443')
stub = helloworld_pb2.GreeterStub(channel)

25. Authenticate with 3rd
Party
• AuthMetadataPlugin
• …/src/python/grpcio_tests/unit/_auth_test.py

26. SSL/TLS
 SSL – Secure Socket Layer (older standard)
o Version 2 and version 3
 TLS – Transport Layer Security (newer standard)
o Version 1.1, 1.2 and 1.3
 Asymmetric encryption
o Private Key and Public key
 Symmetric encryption
o Symmetric key
 Hashing
 Digital Certificate – e.g. X.509

27. SSL - Handshake
Image source: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660a.gif

28. SSL – X.509 Digital
Certificate
Image source: https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.14/gtps7/ssldig17.gif

29. gRPC with TLS
• Python “helloworld” demo with TLS.

30. gRPC code base
• https://github.com/grpc/
• https://github.com/GoogleCloudPlatform/google-auth-
library-python

31. JWT- JSON Web Token
Image source: youtube.com

32. Resources for JSON Web
Token
• https://auth0.com/learn/json-web-tokens/
• https://jwt.io/introduction/
• https://scotch.io/tutorials/the-anatomy-of-a-json-
web-token
• https://auth0.com/e-books/jwt-handbook

33. OAuth-2
 “Open Authentication” (?)
 Authorization delegation
 An authorization framework
 Defined by RFC 6749 and 6750
 OAuth 1 is defined by RFC 5849
 OAuth 1 and OAuth 2 are not compatible

34. OAuth2 Actors
Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/

35. OAuth2 Flows (grants)
image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2

36. OAuth2 Authorization Grants
 Different ways of getting a token
o Authorization code,
o Implicit grant,
o Resource owner password credentials and
o Client credentials
 Which OAuth 2.0 flow should I use?

37. OAuth2 Tokens
• Access Token
• Refresh Token

38. OAuth2 simplified view
 Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png

39. Resource for OAuth2
• RFC 6749 - https://tools.ietf.org/html/rfc6749
• RFC 6750 - https://tools.ietf.org/html/rfc6750
• https://auth0.com/docs/protocols/oauth2
• https://developers.google.com/oauthplayground/

40. Google Cloud Endpoints
for gRPC
 Choosing an Authentication Method
o API Keys
o Firebase authentication
o Auth0 authentication
o Google authentication
o Google authentication and Service Account

41. Examples show how to set up
ESP in a gRPC service
authentication:
providers:
- id: auth0_jwk
# Replace YOUR-ACCOUNT-NAME with your service account's email address.
issuer: https://DevWeekSF2018.auth0.com/
jwks_uri: "https://DevWeekSF2018.auth0.com/.well-known/jwks.json"
rules:
- selector: "*"
requirements:
- provider_id: auth0_jwk

42. Calling an authenticated
method from gRPC
def run(host, port, api_key, auth_token, timeout):
"""Makes a basic ListShelves call against a gRPC Bookstore server."""
channel = grpc.insecure_channel('{}:{}'.format(host, port))
stub = bookstore_pb2.BookstoreStub(channel)
metadata = []
if api_key:
metadata.append(('x-api-key', api_key))
if auth_token:
metadata.append(('authorization', 'Bearer ' + auth_token))
shelves = stub.ListShelves(empty_pb2.Empty(), timeout, metadata=metadata)
print('ListShelves: {}'.format(shelves))

43. Setting up your Auth0

44. Thanks for
coming!