Asynchronous interceptor

[thekeenant]

I'm working with Tonic (+tokio) trying to introduce authentication/authorization for my gRPC server. I can see a simple example of this here. However, I think auth would typically involve dispatching some additional request (e.g. http, rpc, or some database request) to make the decision to return Ok or Err (to check db for presence of some token, or username/password, etc.)

Is it possible to call such an async function from a Tonic interceptor? Or maybe it's necessary to use Tower to accomplish this and if that's the case, any plans to make regular Tonic interceptors async capable?

[davidpdrsn]

Async interceptors currently requires writing a tower service middleware.

Several people have asked about it so probably does make sense to have a convenient API for 😊

[jdahlq]

FYI I have published v0.1.0 of tonic-async-interceptor which uses tonic v0.8.1. Hope it is useful!

[liufuyang]

@jdahlq Do you know if it is possible to also use your tonic-async-interceptor for a client/Channel? For now we have an Interceptor and used it on a client with the generated .with_interceptor() method

Later we might need to switch the interceptor with some auth manager that seems only providing an async API. But now I am not sure how we can switch it to an async interceptor. (Or perhaps there are other ways to do this?) cc @LucioFranco

---

Or maybe in short, how can one uses a token generated by an async method in the simple client example

[talksik]

is this not supported? I feel like this is a fundamental feature for allowing production rust grpc

[rthomas]

@jdahlq Do you know if it is possible to also use your tonic-async-interceptor for a client/Channel? For now we have an Interceptor and used it on a client with the generated .with_interceptor() method

Later we might need to switch the interceptor with some auth manager that seems only providing an async API. But now I am not sure how we can switch it to an async interceptor. (Or perhaps there are other ways to do this?) cc @LucioFranco

Or maybe in short, how can one uses a token generated by an async method in the simple client example

Hi @liufuyang did you find a solution here? I've hit the same issue trying to make a k8s call to validate a service account token.

[liufuyang]

I am not sure if it can help but I seemed solved it by using a tower service, like this:

https://github.com/liufuyang/bigtable_rs/blob/3784be482e9d7892c7e8c2d7dd822f43f2e06a87/bigtable_rs/src/auth_service.rs#L35

Then that service (with some auth middleware) then is used to create a grpc client.
https://github.com/liufuyang/bigtable_rs/blob/3784be482e9d7892c7e8c2d7dd822f43f2e06a87/bigtable_rs/src/bigtable.rs#L324C1-L327C42

Not sure if this helps and whether this is the recommended way to do such thing nowadays.

[Falmarri]

Seems like this is in a weird state at the moment. The Tower service version doesn't work if you also need to run axum 0.7 in the same app because of tower version dependencies until this is merged #1579

I haven't tried the async-interceptor trait, but I'm hoping that will work because it includes its own dependency tree, but i was hoping to keep the dependencies down.

[teimuraz]

I also stuck finding good example is using async interceptor / middleware. Managed to do it with Tower. Made little lib to simplify creation of async interceptors / and "Full" Middlewares (intercept whole service call) . Hopefully, it can help someone else out too! https://github.com/teimuraz/tonic-middleware

[felipellrocha]

Any updates on this? I also just got stuck here having to hack around in order to use an async interceptor

[dallinwright-tradecrit]

I got it to work, also with app state propagated to the async interceptor as well. Hard to get it stitched all together from various examples/blogs but I got it work, using crate tonic-async-interceptor = "0.12.0"

    let app_state_clone = app_state.clone();
    let auth_interceptor = move |req: Request<()>| {
        let app_state = app_state_clone.clone();
        async move { check_auth(req, app_state).await }
    };

    Server::builder()
        .layer(async_interceptor(auth_interceptor))
        .add_service(health_service)
        .serve(addr)
        .await?;

and an example of what the interceptor looks like

pub async fn check_auth(req: Request<()>, app_state: AppState) -> Result<Request<()>, Status> {
    let token: &MetadataValue<Ascii> = req.metadata().get("authorization").unwrap();

    tracing::debug!("Checking auth token: {:?}", token);

    let auth_url = app_state.auth_url.clone();

    let authentication_client = AuthenticationClient::connect("http://localhost:50051").await.unwrap();

  // do the auth stuff, Ok the req on success or return an error if not

 Ok(req)
}

[daniele-solutiontech]

Any update on this? Native support for async interceptor would be extremely useful!