• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2019 The gRPC Authors
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package io.grpc.examples.jwtauth;
18 
19 import io.grpc.Context;
20 import io.grpc.Contexts;
21 import io.grpc.Metadata;
22 import io.grpc.ServerCall;
23 import io.grpc.ServerCallHandler;
24 import io.grpc.ServerInterceptor;
25 import io.grpc.Status;
26 import io.jsonwebtoken.Claims;
27 import io.jsonwebtoken.Jws;
28 import io.jsonwebtoken.JwtException;
29 import io.jsonwebtoken.JwtParser;
30 import io.jsonwebtoken.Jwts;
31 
32 /**
33  * This interceptor gets the JWT from the metadata, verifies it and sets the client identifier
34  * obtained from the token into the context. In order not to complicate the example with additional
35  * checks (expiration date, issuer and etc.), it relies only on the signature of the token for
36  * verification.
37  */
38 public class JwtServerInterceptor implements ServerInterceptor {
39 
40   private JwtParser parser = Jwts.parser().setSigningKey(Constant.JWT_SIGNING_KEY);
41 
42   @Override
interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler)43   public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall,
44       Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
45     String value = metadata.get(Constant.AUTHORIZATION_METADATA_KEY);
46 
47     Status status = Status.OK;
48     if (value == null) {
49       status = Status.UNAUTHENTICATED.withDescription("Authorization token is missing");
50     } else if (!value.startsWith(Constant.BEARER_TYPE)) {
51       status = Status.UNAUTHENTICATED.withDescription("Unknown authorization type");
52     } else {
53       Jws<Claims> claims = null;
54       // remove authorization type prefix
55       String token = value.substring(Constant.BEARER_TYPE.length()).trim();
56       try {
57         // verify token signature and parse claims
58         claims = parser.parseClaimsJws(token);
59       } catch (JwtException e) {
60         status = Status.UNAUTHENTICATED.withDescription(e.getMessage()).withCause(e);
61       }
62       if (claims != null) {
63         // set client id into current context
64         Context ctx = Context.current()
65             .withValue(Constant.CLIENT_ID_CONTEXT_KEY, claims.getBody().getSubject());
66         return Contexts.interceptCall(ctx, serverCall, metadata, serverCallHandler);
67       }
68     }
69 
70     serverCall.close(status, new Metadata());
71     return new ServerCall.Listener<ReqT>() {
72       // noop
73     };
74   }
75 
76 }
77