tessl/maven-io-grpc--grpc-auth
Authentication capabilities for gRPC Java applications with Google Auth Library integration.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-io-grpc--grpc-auth@1.73.00
# gRPC Auth
1
2
gRPC Auth provides authentication capabilities for gRPC Java applications by integrating with Google Auth Library for Java. It implements the CallCredentials interface to enable OAuth2, JWT, and other authentication mechanisms for secure gRPC communications.
3
4
## Package Information
5
6
- **Package Name**: io.grpc:grpc-auth
7
- **Package Type**: Maven
8
- **Language**: Java
9
- **Installation**:
10
```xml
11
<dependency>
12
<groupId>io.grpc</groupId>
13
<artifactId>grpc-auth</artifactId>
14
<version>1.73.0</version>
15
</dependency>
16
```
17
18
## Core Imports
19
20
```java
21
import io.grpc.auth.MoreCallCredentials;
22
import io.grpc.CallCredentials;
23
import com.google.auth.Credentials;
24
import com.google.auth.oauth2.GoogleCredentials;
25
```
26
27
## Basic Usage
28
29
```java
30
import io.grpc.auth.MoreCallCredentials;
31
import io.grpc.CallCredentials;
32
import com.google.auth.oauth2.GoogleCredentials;
33
34
// Create credentials using Google Auth Library
35
Credentials credentials = GoogleCredentials.getApplicationDefault();
36
37
// Convert to gRPC CallCredentials
38
CallCredentials callCredentials = MoreCallCredentials.from(credentials);
39
40
// Attach to gRPC stub for authenticated calls
41
MyServiceGrpc.MyServiceBlockingStub stub = MyServiceGrpc.newBlockingStub(channel)
42
.withCallCredentials(callCredentials);
43
44
// Make authenticated gRPC calls
45
MyResponse response = stub.myMethod(MyRequest.newBuilder().build());
46
```
47
48
## Architecture
49
50
gRPC Auth is built around a simple but powerful architecture:
51
52
- **MoreCallCredentials**: Primary utility class providing factory methods for converting Google Auth Library credentials
53
- **GoogleAuthLibraryCallCredentials**: Internal implementation that handles the actual credential application
54
- **JWT Optimization**: Automatic conversion of ServiceAccount credentials to JWT when no scopes are present
55
- **Security Enforcement**: Ensures appropriate security levels for different credential types
56
- **Metadata Caching**: Optimizes performance by caching authentication metadata
57
58
## Capabilities
59
60
### CallCredentials Factory
61
62
Primary factory method for creating gRPC CallCredentials from Google Auth Library credentials.
63
64
```java { .api }
65
/**
66
* Utility class that converts other types of credentials to CallCredentials
67
*/
68
public final class MoreCallCredentials {
69
/**
70
* Converts a Google Auth Library Credentials to CallCredentials.
71
*
72
* Although this is a stable API, note that the returned instance's API is not stable.
73
* You are free to use the class name CallCredentials and pass the instance to other code,
74
* but the instance can't be called directly from code expecting stable behavior.
75
*
76
* @param creds Google Auth Library credentials to convert
77
* @return CallCredentials instance suitable for gRPC calls
78
*/
79
public static CallCredentials from(Credentials creds);
80
}
81
```
82
83
**Usage Examples:**
84
85
```java
86
import io.grpc.auth.MoreCallCredentials;
87
import com.google.auth.oauth2.GoogleCredentials;
88
import com.google.auth.oauth2.ServiceAccountCredentials;
89
90
// Using Application Default Credentials
91
Credentials appDefaultCreds = GoogleCredentials.getApplicationDefault();
92
CallCredentials callCreds = MoreCallCredentials.from(appDefaultCreds);
93
94
// Using Service Account Credentials from file
95
FileInputStream serviceAccountStream = new FileInputStream("path/to/service-account.json");
96
ServiceAccountCredentials serviceAccountCreds = ServiceAccountCredentials
97
.fromStream(serviceAccountStream);
98
CallCredentials callCreds = MoreCallCredentials.from(serviceAccountCreds);
99
100
// Using OAuth2 Credentials with specific scopes
101
GoogleCredentials scopedCreds = GoogleCredentials.getApplicationDefault()
102
.createScoped(Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
103
CallCredentials callCreds = MoreCallCredentials.from(scopedCreds);
104
```
105
106
### Legacy Client Interceptor (Deprecated)
107
108
Legacy authentication interceptor that was the original method for adding authentication to gRPC calls.
109
110
```java { .api }
111
/**
112
* Client interceptor that authenticates all calls by binding header data provided by a credential.
113
* Typically this will populate the Authorization header but other headers may also be filled out.
114
*
115
* @deprecated use MoreCallCredentials.from(Credentials) instead.
116
*/
117
@Deprecated
118
public final class ClientAuthInterceptor implements ClientInterceptor {
119
/**
120
* Creates a client interceptor that authenticates all calls
121
*
122
* @param credentials Google Auth Library credentials
123
* @param executor Executor for async operations (currently unused)
124
*/
125
public ClientAuthInterceptor(Credentials credentials, Executor executor);
126
127
/**
128
* Implements ClientInterceptor interface to add authentication headers
129
*
130
* @param method Method being called
131
* @param callOptions Call options
132
* @param next Next channel in the chain
133
* @return Authenticated ClientCall instance
134
*/
135
public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
136
MethodDescriptor<ReqT, RespT> method,
137
CallOptions callOptions,
138
Channel next);
139
}
140
```
141
142
**Migration Example:**
143
144
```java
145
// Old approach (deprecated)
146
Credentials credentials = GoogleCredentials.getApplicationDefault();
147
ClientInterceptor interceptor = new ClientAuthInterceptor(credentials, executor);
148
Channel authenticatedChannel = ClientInterceptors.intercept(channel, interceptor);
149
MyServiceGrpc.MyServiceBlockingStub stub = MyServiceGrpc.newBlockingStub(authenticatedChannel);
150
151
// New approach (recommended)
152
Credentials credentials = GoogleCredentials.getApplicationDefault();
153
CallCredentials callCredentials = MoreCallCredentials.from(credentials);
154
MyServiceGrpc.MyServiceBlockingStub stub = MyServiceGrpc.newBlockingStub(channel)
155
.withCallCredentials(callCredentials);
156
```
157
158
## Types and Dependencies
159
160
```java { .api }
161
// Core gRPC types
162
import io.grpc.CallCredentials;
163
import io.grpc.Channel;
164
import io.grpc.ClientCall;
165
import io.grpc.ClientInterceptor;
166
import io.grpc.CallOptions;
167
import io.grpc.MethodDescriptor;
168
import io.grpc.Status;
169
import io.grpc.StatusException;
170
171
// Google Auth Library types
172
import com.google.auth.Credentials;
173
import com.google.auth.oauth2.GoogleCredentials;
174
import com.google.auth.oauth2.ServiceAccountCredentials;
175
import com.google.auth.oauth2.OAuth2Credentials;
176
177
// Standard Java types
178
import java.util.concurrent.Executor;
179
import java.util.List;
180
import java.util.Map;
181
import java.net.URI;
182
```
183
184
## Authentication Flow
185
186
The authentication process follows these steps:
187
188
1. **Credential Creation**: Use Google Auth Library to create appropriate credentials (OAuth2, ServiceAccount, etc.)
189
2. **CallCredentials Conversion**: Use `MoreCallCredentials.from()` to convert to gRPC-compatible format
190
3. **Stub Configuration**: Attach CallCredentials to gRPC stub using `withCallCredentials()`
191
4. **Automatic Application**: gRPC automatically applies authentication headers to each RPC call
192
5. **JWT Optimization**: ServiceAccount credentials without scopes are automatically converted to JWT tokens
193
6. **Security Validation**: Credentials requiring privacy enforce PRIVACY_AND_INTEGRITY security level
194
195
## Authentication Features
196
197
### Supported Credential Types
198
199
- **Google Application Default Credentials**: Automatically discovered credentials from environment
200
- **Service Account Credentials**: JSON key file or in-memory credentials for service-to-service auth
201
- **OAuth2 Credentials**: User credentials with access tokens and refresh tokens
202
- **JWT Credentials**: Self-signed JWT tokens for service accounts (automatically optimized)
203
- **App Engine Credentials**: Specialized credentials for Google App Engine environment
204
205
### Security Features
206
207
- **Automatic Security Level Enforcement**: Google credentials require PRIVACY_AND_INTEGRITY channels
208
- **JWT Token Optimization**: ServiceAccount credentials without scopes use JWT instead of OAuth2
209
- **Metadata Caching**: Avoids redundant authentication requests through intelligent caching
210
- **Thread Safety**: Safe for concurrent use across multiple threads
211
- **Error Propagation**: Authentication failures are properly reported as UNAUTHENTICATED status
212
213
### Performance Optimizations
214
215
- **Credential Metadata Caching**: Reuses authentication metadata when possible
216
- **JWT Preference**: Uses more efficient JWT tokens over OAuth2 when appropriate
217
- **Lazy Evaluation**: Authentication occurs only when RPC calls are made
218
- **Header Reuse**: Caches parsed authentication headers to avoid repeated parsing
219
220
## Error Handling
221
222
Authentication errors are reported through gRPC's standard error handling:
223
224
```java
225
try {
226
MyResponse response = stub.myMethod(request);
227
} catch (StatusRuntimeException e) {
228
if (e.getStatus().getCode() == Status.Code.UNAUTHENTICATED) {
229
// Handle authentication failure
230
System.err.println("Authentication failed: " + e.getStatus().getDescription());
231
}
232
}
233
```
234
235
Common error scenarios:
236
237
- **UNAUTHENTICATED**: Invalid credentials, expired tokens, or credential loading failures
238
- **UNAVAILABLE**: Temporary authentication service issues (retryable)
239
- **PERMISSION_DENIED**: Valid credentials but insufficient permissions for the operation
240
- **InvalidChannel**: Attempting to use privacy-requiring credentials on insecure channels
241
242
## Thread Safety and Executors
243
244
All authentication components are thread-safe and can be used concurrently:
245
246
- **CallCredentials**: Thread-safe and can be shared across multiple stubs
247
- **Metadata Caching**: Uses synchronization to ensure thread-safe cache access
248
- **App Engine Support**: Special executor handling for App Engine credentials when required
249
- **Async Operations**: Credential fetching is performed asynchronously without blocking RPC calls