Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authentication example is presently harmful

See original GitHub issue

The example is currently equivalent to the “header” example. So there’s no possible value-add it could contribute at the moment.

But unfortunately it is recommending making a ClientInterceptor for sending JWT to the server. That’s not what we recommend. We would recommend using MoreCallCredentials.from(Credential) along with ServiceAccountJwtAccessCredentials (which is Google-centric, but users can potentially use the fromPkcs8() construction method) or to implement CallCredentials directly. CallCredentials has the advantage that the credential 1) can verify its security requirements, like how all JWTs should be sent on an encrypted connection, and 2) will be fresher, as it is called just before the RPC is sent (a waitForReady RPC could be delayed for days).

The example also needs to incorporate how to propagate the authenticated user to the application via Context. Ideally it would at least note how to fail the RPC if the user is unauthenticated. Examples of how to do this is available on SO.

I’m considering deleting the example for the upcoming v1.21.0 release.

Issue Analytics

State:
Created 4 years ago
Comments:10 (10 by maintainers)

Top GitHub Comments

1reaction

ejona86commented, May 4, 2019

JsonWebToken itself doesn’t look useful, but JsonWebSignature looks more useful.

Bare minimum:

replace ClientInterceptor with a ClientCredential
include error case of authentication failing with grpc error code of Status.UNAUTHENTICATED
propagate authenticated user to application (via Context)
either use JWT or name it something else

Nice to haves:

Actual JWT, with Bearer prefix
Actual verification on server-side, potentially with JsonWebSignature

I’m worried about creating anything on client-side, since we really shouldn’t recommend signing a JWT per-RPC. That implies a cache and thread-safety, yada yada. But that would be fine.

I expect doing “real JWT” to take a while, so I would prefer this to be done in stages. But given this is Friday and the branch cut is on Monday/Tuesday, I expect I will delete the current example for 1.21.0.

1reaction

ejona86commented, May 3, 2019

It also is using the Metadata Key name “jwt” for the JWT. However, it seems JWT typically uses the Authentication header with the Bearer prefix.

Top Results From Across the Web

11 Common Authentication Vulnerabilities You Need to Know

1. Flawed Brute-Force Protection · 2. Weak Login Credentials · 3. Username Enumeration · 4. HTTP Basic Authentication · 5. Poor Session Management....

Authentication and authorization vulnerabilities and how to ...

Another bad practice that may lead to auth bypass attacks is implementing access control by checking for a specific path. For example ...

Identification and Authentication Failures and How to Prevent ...

Such failures can lead to serious and damaging data breaches. In this blog post, ... Other examples of Identification and Authentication Failures are:....

Real-World Examples of authN & authZ Vulnerabilities

As you'll see when we discuss concrete examples, authentication and authorization systems are ... This type of vulnerability could be hazardous for any...

2-factor authentication may be hackable, expert says - CNBC

Cybercriminals can now use a type of phishing to get around two-factor authentication, typically a code sent your cellphone that is needed ...