examples/python/auth/README.md - platform/external/grpc-grpc - Git at Google

 # Authentication Extension Example in gRPC Python

 ## Check Our Guide First

 For most common usage of authentication in gRPC Python, please see our
 [Authentication](https://grpc.io/docs/guides/auth/) guide's Python section. The
 Guide includes following scenarios:

 1. Server SSL credential setup
 2. Client SSL credential setup
 3. Authenticate with Google using a JWT
 4. Authenticate with Google using an Oauth2 token

 Also, the guide talks about gRPC specific credential types.

 ### Channel credentials

 Channel credentials are attached to a `Channel` object, the most common use case
 are SSL credentials.

 ### Call credentials

 Call credentials are attached to a `Call` object (corresponding to an RPC).
 Under the hood, the call credentials is a function that takes in information of
 the RPC and modify metadata through callback.

 ## About This Example

 This example focuses on extending gRPC authentication mechanism:
 1) Customize authentication plugin;
 2) Composite client side credentials;
 3) Validation through interceptor on server side.

 ## AuthMetadataPlugin: Manipulate metadata for each call

 Unlike TLS/SSL based authentication, the authentication extension in gRPC Python
 lives at a much higher level of networking. It relies on the transmission of
 metadata (HTTP Header) between client and server, instead of alternating the
 transport protocol.

 gRPC Python provides a way to intercept an RPC and append authentication related
 metadata through
 [`AuthMetadataPlugin`](https://grpc.github.io/grpc/python/grpc.html#grpc.AuthMetadataPlugin).
 Those in need of a custom authentication method may simply provide a concrete
 implementation of the following interface:

 ```Python
 class AuthMetadataPlugin:
     """A specification for custom authentication."""

     def __call__(self, context, callback):
         """Implements authentication by passing metadata to a callback.

         Implementations of this method must not block.

         Args:
           context: An AuthMetadataContext providing information on the RPC that
             the plugin is being called to authenticate.
           callback: An AuthMetadataPluginCallback to be invoked either
             synchronously or asynchronously.
         """
 ```

 Then pass the instance of the concrete implementation to
 `grpc.metadata_call_credentials` function to be converted into a
 `CallCredentials` object. Please NOTE that it is possible to pass a Python
 function object directly, but we recommend to inherit from the base class to
 ensure implementation correctness.


 ```Python
 def metadata_call_credentials(metadata_plugin, name=None):
     """Construct CallCredentials from an AuthMetadataPlugin.

     Args:
       metadata_plugin: An AuthMetadataPlugin to use for authentication.
       name: An optional name for the plugin.

     Returns:
       A CallCredentials.
     """
 ```

 The `CallCredentials` object can be passed directly into an RPC like:

 ```Python
 call_credentials = grpc.metadata_call_credentials(my_foo_plugin)
 stub.FooRpc(request, credentials=call_credentials)
 ```

 Or you can use `ChannelCredentials` and `CallCredentials` at the same time by
 combining them:

 ```Python
 channel_credentials = ...
 call_credentials = ...
 composite_credentials = grpc.composite_channel_credentials(
     channel_credential,
     call_credentials)
 channel = grpc.secure_channel(server_address, composite_credentials)
 ```

 It is also possible to apply multiple `CallCredentials` to a single RPC:

 ```Python
 call_credentials_foo = ...
 call_credentials_bar = ...
 call_credentials = grpc.composite_call_credentials(
     call_credentials_foo,
     call_credentials_bar)
 stub.FooRpc(request, credentials=call_credentials)
 ```

 ## Token-based authentication

 Instead of `AuthMetadataPlugin`, you can also use token-based authentication
 mechanisms using OAuth2 tokens or other customized tokens.

 OAuth2 tokens can be obtained using libraries like [google-auth](https://google-auth.readthedocs.io/en/master/user-guide.html):

 ```Python
 import google.auth

 google_credentials, unused_project_id = google.auth.default()
 call_credentials = grpc.access_token_call_credentials(google_credentials.token)
 ```

 After obtaining the token, the rest of the flow is documented in [token_based_auth_client.py](https://github.com/grpc/grpc/tree/master/examples/python/auth/token_based_auth_client.py) and [token_based_auth_server.py](https://github.com/grpc/grpc/tree/master/examples/python/auth/token_based_auth_server.py).
	# Authentication Extension Example in gRPC Python

	## Check Our Guide First

	For most common usage of authentication in gRPC Python, please see our
	[Authentication](https://grpc.io/docs/guides/auth/) guide's Python section. The
	Guide includes following scenarios:

	1. Server SSL credential setup
	2. Client SSL credential setup
	3. Authenticate with Google using a JWT
	4. Authenticate with Google using an Oauth2 token

	Also, the guide talks about gRPC specific credential types.

	### Channel credentials

	Channel credentials are attached to a `Channel` object, the most common use case
	are SSL credentials.

	### Call credentials

	Call credentials are attached to a `Call` object (corresponding to an RPC).
	Under the hood, the call credentials is a function that takes in information of
	the RPC and modify metadata through callback.

	## About This Example

	This example focuses on extending gRPC authentication mechanism:
	1) Customize authentication plugin;
	2) Composite client side credentials;
	3) Validation through interceptor on server side.

	## AuthMetadataPlugin: Manipulate metadata for each call

	Unlike TLS/SSL based authentication, the authentication extension in gRPC Python
	lives at a much higher level of networking. It relies on the transmission of
	metadata (HTTP Header) between client and server, instead of alternating the
	transport protocol.

	gRPC Python provides a way to intercept an RPC and append authentication related
	metadata through
	[`AuthMetadataPlugin`](https://grpc.github.io/grpc/python/grpc.html#grpc.AuthMetadataPlugin).
	Those in need of a custom authentication method may simply provide a concrete
	implementation of the following interface:

	```Python
	class AuthMetadataPlugin:
	"""A specification for custom authentication."""

	def __call__(self, context, callback):
	"""Implements authentication by passing metadata to a callback.

	Implementations of this method must not block.

	Args:
	context: An AuthMetadataContext providing information on the RPC that
	the plugin is being called to authenticate.
	callback: An AuthMetadataPluginCallback to be invoked either
	synchronously or asynchronously.
	"""
	```

	Then pass the instance of the concrete implementation to
	`grpc.metadata_call_credentials` function to be converted into a
	`CallCredentials` object. Please NOTE that it is possible to pass a Python
	function object directly, but we recommend to inherit from the base class to
	ensure implementation correctness.


	```Python
	def metadata_call_credentials(metadata_plugin, name=None):
	"""Construct CallCredentials from an AuthMetadataPlugin.

	Args:
	metadata_plugin: An AuthMetadataPlugin to use for authentication.
	name: An optional name for the plugin.

	Returns:
	A CallCredentials.
	"""
	```

	The `CallCredentials` object can be passed directly into an RPC like:

	```Python
	call_credentials = grpc.metadata_call_credentials(my_foo_plugin)
	stub.FooRpc(request, credentials=call_credentials)
	```

	Or you can use `ChannelCredentials` and `CallCredentials` at the same time by
	combining them:

	```Python
	channel_credentials = ...
	call_credentials = ...
	composite_credentials = grpc.composite_channel_credentials(
	channel_credential,
	call_credentials)
	channel = grpc.secure_channel(server_address, composite_credentials)
	```

	It is also possible to apply multiple `CallCredentials` to a single RPC:

	```Python
	call_credentials_foo = ...
	call_credentials_bar = ...
	call_credentials = grpc.composite_call_credentials(
	call_credentials_foo,
	call_credentials_bar)
	stub.FooRpc(request, credentials=call_credentials)
	```

	## Token-based authentication

	Instead of `AuthMetadataPlugin`, you can also use token-based authentication
	mechanisms using OAuth2 tokens or other customized tokens.

	OAuth2 tokens can be obtained using libraries like [google-auth](https://google-auth.readthedocs.io/en/master/user-guide.html):

	```Python
	import google.auth

	google_credentials, unused_project_id = google.auth.default()
	call_credentials = grpc.access_token_call_credentials(google_credentials.token)
	```

	After obtaining the token, the rest of the flow is documented in [token_based_auth_client.py](https://github.com/grpc/grpc/tree/master/examples/python/auth/token_based_auth_client.py) and [token_based_auth_server.py](https://github.com/grpc/grpc/tree/master/examples/python/auth/token_based_auth_server.py).