Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ESPv2 authentication error getting mapped to StatusCode.UNKNOWN

See original GitHub issue

I have a gRPC endpoint that sits behind ESPv2 with JWT authentication configured and I’m trying to configure a retry policy that will retry requests when say an invalid / expired JWT is passed in the request.

I was expecting that a HTTP 401 response from ESPv2 would be mapped to StatusCode.UNAUTHENTICATED but instead it gets mapped to StatusCode.UNKNOWN.

Sample server response:

< HTTP/2 401
< date: Tue, 19 Jan 2021 06:54:03 GMT
< content-type: application/json
< content-length: 40
< strict-transport-security: max-age=15724800; includeSubDomains
< access-control-allow-origin: *
< access-control-allow-credentials: true
< access-control-allow-methods: PUT, HEAD, GET, POST, OPTIONS
< access-control-allow-headers: Authorization, X-User-Agent, X-Grpc-Web, Content-Type
<
{"code":401,"message":"Jwt is missing"}

This then gets mapped to:

{
  code: StatusCode.UNKNOWN,
  message: 'Unknown Content-type received.',
  metadata: {},
}

Relevant code seems to be here: https://github.com/grpc/grpc-web/blob/master/javascript/net/grpc/web/grpcwebclientreadablestream.js#L154-L159

Is there a way to do this?

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:6 (1 by maintainers)

Top GitHub Comments

2reactions

j4ckofalltradescommented, Jul 26, 2021

@LiBa001 Thanks for pointing this out.

@j4ckofalltrades did you possibly change anything else, besides the CORS expose headers? Cause I don’t see how they would’ve changed the content type.

Haven’t found a solution to this one unfortunately (the other issue I had with the CORS config was unrelated to this one and I forgot to update this issue) – reopening this issue.

0reactions

ericb-summitcommented, Oct 3, 2022

espv2 is envoy based. Assuming it is possible to control the config, you could use a local reply to rewrite the 401 to something that grpc-web will consume. This works.

              local_reply_config:
                mappers:
                - filter:
                    status_code_filter:
                      comparison:
                        op: EQ
                        value:
                          default_value: 401
                          runtime_key: "%RESPONSE_CODE%"
                  headers_to_add:
                    - header:
                        key: "Content-Type"
                        value: 'application/grpc-web+proto'
                      append: false
                    - header:
                        key: "grpc-message"
                        value: 'Not authenticated'
                      append: false
                    - header:
                        key: "grpc-status"
                        value: '16'
                      append: false
                  status_code: 200
                  body:
                    inline_string: ""
                  body_format_override:
                    content_type: "application/grpc-web+proto"
                    text_format: ""

Top Results From Across the Web

Extensible Service Proxy V2 startup options - OpenAPI

The Extensible Service Proxy V2 (ESPv2) is an Envoy-based proxy that enables Cloud Endpoints to provide API management features. To configure ESPv2, you...

grpc - Bountysource

... are giving an error: {code: StatusCode.UNKNOWN, message: 'Incomplete response'} ... ESPv2 authentication error getting mapped to StatusCode.UNKNOWN $ 0.

draft-ietf-mobileip-calhoun-tep-01.txt

Tunnel establishment requires authentication. The tunnel establishment messages use some of the authentication extensions defined by [17].

Performance analysis of Proxy based encrypted ... - DiVA Portal

namespace invokes the server methods (GET, POST, PUT) for an operation to be performed. ... Null authentication which was mandatory in ESP-v2.

Unknown when authenticating with Cloud Endpoints - Stack ...

I'm trying to add authentication to my Cloud Endpoints, but I can't get it to work. I'm using this blog as a guideline: ......