Add example how to use the AsyncAuthInterceptor #25620
Conversation
* added example service registration that uses the AsyncAuthInterceptor to request a bearer token See grpc/grpc-dotnet#1682
aspnetcore/grpc/authn-and-authz.md
Outdated
| @@ -171,6 +171,43 @@ The preceeding code: | |||
| * Registers the `GreeterClient` type with client factory. | |||
| * Configures the `AuthInterceptor` for this client using `InterceptorScope.Client`. A new interceptor is created for each client instance. When a client is created for a gRPC service or Web API controller, the scoped `ITokenProvider` is injected into the interceptor. | |||
|
|
|||
| ##### Bearer token with gRPC client factory using AsyncAuthInterceptor | |||
There was a problem hiding this comment.
I'll move the final version of this sample if there is one approved by JamesNK to a full client factory app sample for .NET 6 and then pull in the relevant snippets
| var scopeFactory = sp.GetRequiredService<IServiceScopeFactory>(); | ||
| var asyncAuthInterceptor = new AsyncAuthInterceptor(async (context, metadata) => | ||
| { | ||
| using var scope = scopeFactory.CreateScope(); |
There was a problem hiding this comment.
Hmm, is creating a new scope here, and registering ITokenProvider with a scoped lifetime providing any benefit?
Each call is creating a new scope, and each time a new ITokenProvider instance is created. Is that much different from a transient lifetime? I haven't built a full gRPC app using scoped auth, but I would have thought the benefit that you're aiming for is caching the token per-request, so calls for that request share it. Will you get that here?
I wonder if there should be a new extension method for the gRPC client factory that is just for configuring AsyncAuthInterceptor. An overload can include an IServiceProvider that uses the current request scope.
There was a problem hiding this comment.
I figured this would be necessary if ITokenProvider is registered as 'scoped' - or itself has dependencies registered as scoped services. If a background process opens an RPC connection (service-2-service communication) we don't necessarily have a scope - then there would be an exception here, right?
There was a problem hiding this comment.
The example would be shorter and probably easier to understand if we say
[...] and has been registered as singleton service [...]
There was a problem hiding this comment.
@JamesNK, it is not clear to me what state this is in at the moment. Does the example require a changed from what it is at this point?
Co-authored-by: James Newton-King <james@newtonking.com>
Co-authored-by: James Newton-King <james@newtonking.com>
Co-authored-by: James Newton-King <james@newtonking.com>
|
This docs PR has inspired some new features in the gRPC client factory. It should make this much easier. See grpc/grpc-dotnet#1705 Let's pause this PR and then adapt it to the new feature once it's merged. |
|
Thanks for working on this. A new feature and docs - #25734 - replaces this. Closing |
Fixes grpc/grpc-dotnet#1682
Fixes #24132