I was about to ask a related question. Here is a sample of my config. The only issue is that the gRPC client gets a StatusCode.Cancelled when authorization fails.

In this scenario, the auth service at http://auth:5000 is a simple flask application performing the auth with a 3rd party identity provider. You may not need all the variables I am pushing around here, but hopefully this gives you an idea.

server {

location /some_grpc_api {

grpc_pass grpc://internal_service:50051;
grpc_set_header x-grpc-user $auth_resp_x_grpc_user;

}

# send all requests to the `/validate` endpoint for authorization
auth_request /validate;
auth_request_set $auth_resp_x_grpc_user $upstream_http_x_grpc_user;

location = /validate {

proxy_pass http://auth:5000;
# the auth service acts only on the request headers
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

}
}