What's the proposed way of handling user authentic...
# kotlinx-rpcs
S.
09/21/2024, 5:26 PMWhat's the proposed way of handling user authentication and access control? Using ktor's auth plugin I can only deny or accept a connection to the rpc route. Unlike normal http requests, I don't see a way to forward a JWT principal to the service classes
S.
09/21/2024, 5:28 PMofc I could pass the token as a parameter to the rpc call from the client rather than authorization headers. but I'm unsure whether that has any security implications
a
Alexander Sysoev
09/22/2024, 9:20 AMHi! Right now we don't have any particular advices on it, there was a discussions in gh issues about jwt tokens https://github.com/Kotlin/kotlinx-rpc/issues/177
s
S.
09/22/2024, 10:19 AMAnother problem is, it seems that rpc request is not carrtying bearer token like normal http call.I think he encountered the same issue. For normal http requests, you would get access to the JWT payload via the ApplicationCall. something like
ApplicationRequest.call.principal<JWTPrincipal>()?.payload?.getClaim("userId")S.
09/22/2024, 10:23 AMSo, with the ktor auth plugin you can only validate whether the incoming request carries a valid JWT token or not, but ultimately, in the service class, I can't determine which user made this request
a
Alexander Sysoev
09/22/2024, 10:35 AMYes, this seems the case for now
We will look into it in the future releases
42 Views