The Ultimate Guide to gRPC in ASP.NET Core/

...

/

Securing gRPC Endpoints with Single Sign-on

Securing gRPC Endpoints with Single Sign-on

Learn how to apply authentication and authorization to gRPC calls.

We'll cover the following...

When we deploy any type of application, we usually need to restrict certain functionalities within it. To do so, we use two different techniques: authentication and authorization. Authentication is when the user proves that they are who they say they are. For example, authentication is successful when the user has applied the correct combination of the username and password. Authorization is the process of restricting access based on permissions. For example, if a user is authenticated, the user still may not be allowed to access some resources that require special permissions.

Press + to interact
Authentication vs. authorization
Authentication vs. authorization

The process of Single Sign-on (SSO) allows all applications within a shared system to share the user's credentials. This way, the user will have to log in only once. The user's credentials will then be shared by all applications that communicate with each other.

Introduction to OpenID Connect and OAuth

There are multiple protocols to enable SSO, but two of the most commonly used are OpenID Connect and OAuth. OpenID Connect controls the process of authentication. OAuth controls authorization. The diagram below demonstrates how SSO works when these protocols are applied.

Press + to interact
OpenID Connect SSO overview
OpenID Connect SSO overview

To enable SSO across the entire system, there is a shared SSO provider. There are many types of software that can be used for this purpose, including Keycloak, Okta, and IdentityServer, and they all work in a similar fashion. They use OpenID Connect for the authentication flow. Once authentication is successful, an encoded token is returned that can be shared between the applications. This token contains all the appropriate user data, including all the permissions. The OAuth protocol is responsible for the structure of the token and the process of its verification.

In this lesson, we'll enable SSO in a gRPC application. We'll start with the following project setup. The principles outlined in this lesson will be applicable to any other SSO provider that uses standard authentication and authorization protocols.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  }
}
Initial solution setup

JWT and user claims

When the user opens a user-facing application for ...