Welcome! Log In Create A New Profile

Re: request authorization with grpc (failure status code)

Forum List Message List New Topic Print View

Maxim Dounin

July 02, 2019 09:18PM

Hello!

On Tue, Jul 02, 2019 at 11:19:54AM -0400, bmacphee wrote:

> I have an nginx configuration that passes gRPC API requests to other
> services an authorization endpoint that is used in conjunction.
>
> This works great when authorization is successful (my HTTP1 authorization
> endpoint returns HTTP 2xx status codes).
>
> When authorization fails (it returns 401), the gRPC connection initiated by
> the client receives a gRPC Cancelled(1) status code, rather than what would
> be ideal for the client - an Unauthorized (16) status code. The status
> message appears to be populated by nginx indicating the 401 failure.
>
> Is there a way to control the status code returned to the gRPC channel
> during failed auth?
>
> I tried and failed at doing this with the below configuration. Any non-200
> code returned by the auth failure handling results in the same cancelled
> status code even after trying to set the status code manually. If I
> override the return with a 200 series code, it treats authorization as
> successful (which it also bad).

[...]

> # attempt to customize grpc error code
> proxy_intercept_errors on;
> error_page 401 /grpc_auth_fail_page;
> }
>
> # attempt to customize grpc error code
> location = /grpc_auth_fail_page {
> internal;
> grpc_set_header grpc-status 16;
> grpc_set_header grpc-message "Unauthorized";
> return 401;

The "grpc_set_header" directive controls headers sent to the
backend server with grpc_pass. In your setup you need to control
headers returned to the client, so you have to use "add_header"
instead. Or, given that gRPC uses trailers as long as there is a
response body, you may have to use "add_trailer".

Additionally, gRPC requires error code 200 for all responses.
That is, you may have to use something like

error_page 401 = /grpc_auth_fail_page;

location = /grpc_auth_fail_page {
...
return 200 "";
}

to return status code 200.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
request authorization with grpc (failure status code)	bmacphee	July 02, 2019 11:19AM
Re: request authorization with grpc (failure status code)	Maxim Dounin	July 02, 2019 09:18PM
Re: request authorization with grpc (failure status code)	bmacphee	July 16, 2019 04:23PM
Re: request authorization with grpc (failure status code)	Maxim Dounin	July 17, 2019 07:50AM
Re: request authorization with grpc (failure status code)	bmacphee	July 17, 2019 08:22AM
Re: request authorization with grpc (failure status code)	bmacphee	July 17, 2019 08:35AM
Re: request authorization with grpc (failure status code)	bmacphee	July 17, 2019 08:32AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 306

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018