5. What is gRPC?
gRPC can be summarized as protocol buffers running
over HTTP/2 with multiple programming language
support.
Image source: grpc.io
6. Protocol Buffer
Protocol buffer is one form of Interface Definition
Language for structured data serialization and de-
serialization between two parties and are transmitted
over a network in binary forms.
Image source: Google gRPC meetup kit
9. HTTP/2
Hypertext Transfer Protocol Version 2 (HTTP/2) is
defined by RFC 7540 aimed at providing better
performance for HTTP traffics with bi-directional
streaming and flow control on a single TCP connection.
Source: Google gRPC meetup kit
11. gRPC Conceptssource: https://grpc.io/docs/guides/concepts.html
Service Definition
Using the API surface
Synchronous vs asynchronous
RPC life cycle
o Unary
o Client Streaming
o Server Streaming
o Bi-directional Streaming
Deadlines/Timeouts
RPC termination
Cancelling RPCs
Metadata
Channels
12. Ruby Service
gRPC
server Go Service
gRPC
server
gRPC
Stub
Java Service
gRPC
Stub
Python Service
gRPC
server
gRPC
Stub
Multi-language supportsource: Google gRPC meetup kit
15. Resource for gRPCsource: Google gRPC meetup kit
Documentation and Code
● http://www.grpc.io/
● https://github.com/grpc
● https://github.com/grpc-ecosystem
Help and Support
● https://gitter.im/grpc/grpc
● https://groups.google.com/forum/#!forum/grpc-io
16. Getting started with gRPC
https://grpc.io/docs/quickstart/
https://grpc.io/docs/tutorials/basic/python.html
1. Define the gRPC service and the method request and
response types using protocol buffers
2. Generate the gRPC client and server interfaces from your
.proto service definition.
3. Create the server
4. Create the client
18. Authentication vs
Authorization
Authentication – determine who you claim to be by the
credential you provide.
o Something you have – smart token device
o Something you know - password
o Something you are – fingerprint
Authorization – based on user credential grant access
to resource
o Read-Write
o Read only
o Delete
19. gRPC built-in
Authentication Methods
SSL/TLS
Token-based authentication with Google
o JWT
o OAuth Access Token
Credentials plugin API - allows developers to plug in their
own type of credentials
21. Base case - No encryption
or authentication
import grpc
import helloworld_pb2
channel = grpc.insecure_channel('localhost:50051')
stub = helloworld_pb2.GreeterStub(channel)
22. With server
authentication SSL/TLS
import grpc
import helloworld_pb2
creds = grpc.ssl_channel_credentials(open('roots.pem').read())
channel = grpc.secure_channel('myservice.example.com:443',
creds)
stub = helloworld_pb2.GreeterStub(channel)
23. Authenticate with Google
using a JWT
import grpc
import helloworld_pb2
from google import auth as google_auth
from google.auth import jwt as google_auth_jwt
from google.auth.transport import grpc as google_auth_transport_grpc
credentials, _ = google_auth.default()
jwt_creds = google_auth_jwt.OnDemandCredentials.from_signing_credentials(
credentials)
channel = google_auth_transport_grpc.secure_authorized_channel( jwt_creds,
None,
'greeter.googleapis.com:443')
stub = helloworld_pb2.GreeterStub(channel)
24. Authenticate with Google
using an OAuth2 token
import grpc
import helloworld_pb2
from google import auth as google_auth
from google.auth.transport import grpc as google_auth_transport_grpc
from google.auth.transport import requests as google_auth_transport_requests
credentials, _ = google_auth.default(scopes=(scope,))
request = google_auth_transport_requests.Request()
channel = google_auth_transport_grpc.secure_authorized_channel(
credentials,
request,
'greeter.googleapis.com:443')
stub = helloworld_pb2.GreeterStub(channel)
26. SSL/TLS
SSL – Secure Socket Layer (older standard)
o Version 2 and version 3
TLS – Transport Layer Security (newer standard)
o Version 1.1, 1.2 and 1.3
Asymmetric encryption
o Private Key and Public key
Symmetric encryption
o Symmetric key
Hashing
Digital Certificate – e.g. X.509
32. Resources for JSON Web
Token
• https://auth0.com/learn/json-web-tokens/
• https://jwt.io/introduction/
• https://scotch.io/tutorials/the-anatomy-of-a-json-
web-token
• https://auth0.com/e-books/jwt-handbook
33. OAuth-2
“Open Authentication” (?)
Authorization delegation
An authorization framework
Defined by RFC 6749 and 6750
OAuth 1 is defined by RFC 5849
OAuth 1 and OAuth 2 are not compatible
36. OAuth2 Authorization Grants
Different ways of getting a token
o Authorization code,
o Implicit grant,
o Resource owner password credentials and
o Client credentials
Which OAuth 2.0 flow should I use?
40. Google Cloud Endpoints
for gRPC
Choosing an Authentication Method
o API Keys
o Firebase authentication
o Auth0 authentication
o Google authentication
o Google authentication and Service Account
41. Examples show how to set up
ESP in a gRPC service
authentication:
providers:
- id: auth0_jwk
# Replace YOUR-ACCOUNT-NAME with your service account's email address.
issuer: https://DevWeekSF2018.auth0.com/
jwks_uri: "https://DevWeekSF2018.auth0.com/.well-known/jwks.json"
rules:
- selector: "*"
requirements:
- provider_id: auth0_jwk
42. Calling an authenticated
method from gRPC
def run(host, port, api_key, auth_token, timeout):
"""Makes a basic ListShelves call against a gRPC Bookstore server."""
channel = grpc.insecure_channel('{}:{}'.format(host, port))
stub = bookstore_pb2.BookstoreStub(channel)
metadata = []
if api_key:
metadata.append(('x-api-key', api_key))
if auth_token:
metadata.append(('authorization', 'Bearer ' + auth_token))
shelves = stub.ListShelves(empty_pb2.Empty(), timeout, metadata=metadata)
print('ListShelves: {}'.format(shelves))