Welcome! Log In Create A New Profile

Advanced

Re: request authorization with grpc (failure status code)

Maxim Dounin
July 02, 2019 09:18PM
Hello!

On Tue, Jul 02, 2019 at 11:19:54AM -0400, bmacphee wrote:

> I have an nginx configuration that passes gRPC API requests to other
> services an authorization endpoint that is used in conjunction.
>
> This works great when authorization is successful (my HTTP1 authorization
> endpoint returns HTTP 2xx status codes).
>
> When authorization fails (it returns 401), the gRPC connection initiated by
> the client receives a gRPC Cancelled(1) status code, rather than what would
> be ideal for the client - an Unauthorized (16) status code. The status
> message appears to be populated by nginx indicating the 401 failure.
>
> Is there a way to control the status code returned to the gRPC channel
> during failed auth?
>
> I tried and failed at doing this with the below configuration. Any non-200
> code returned by the auth failure handling results in the same cancelled
> status code even after trying to set the status code manually. If I
> override the return with a 200 series code, it treats authorization as
> successful (which it also bad).

[...]

> # attempt to customize grpc error code
> proxy_intercept_errors on;
> error_page 401 /grpc_auth_fail_page;
> }
>
> # attempt to customize grpc error code
> location = /grpc_auth_fail_page {
> internal;
> grpc_set_header grpc-status 16;
> grpc_set_header grpc-message "Unauthorized";
> return 401;

The "grpc_set_header" directive controls headers sent to the
backend server with grpc_pass. In your setup you need to control
headers returned to the client, so you have to use "add_header"
instead. Or, given that gRPC uses trailers as long as there is a
response body, you may have to use "add_trailer".

Additionally, gRPC requires error code 200 for all responses.
That is, you may have to use something like

error_page 401 = /grpc_auth_fail_page;

location = /grpc_auth_fail_page {
...
return 200 "";
}

to return status code 200.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

request authorization with grpc (failure status code)

bmacphee July 02, 2019 11:19AM

Re: request authorization with grpc (failure status code)

Maxim Dounin July 02, 2019 09:18PM

Re: request authorization with grpc (failure status code)

bmacphee July 16, 2019 04:23PM

Re: request authorization with grpc (failure status code)

Maxim Dounin July 17, 2019 07:50AM

Re: request authorization with grpc (failure status code)

bmacphee July 17, 2019 08:22AM

Re: request authorization with grpc (failure status code)

bmacphee July 17, 2019 08:35AM

Re: request authorization with grpc (failure status code)

bmacphee July 17, 2019 08:32AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 99
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready