I was experimenting with RPC as alternative to some services actually implemented using http REST APIs. Since this services are actually not public and are used only by other services using RPC could make more sense.
I'm looking for some hint regarding RPC authorization best practices since I'm really not sure about the way to follow.
I'm using golang for this
how do I make sure an RPC get used only by authorized services
can I authorize only a subset of the exposed procedures
Thx
分享 You could handle authorisation in a similar way to authorisation of REST services.
JSON Web Tokens (JWT) are a widely used authorisation method. You can find demonstrations and a conceptual overview of JWTs at jwt.io. In brief, JWTs are a signed JSON object, encoded as a string. The JSON object can make any number of arbitrary "claims" about the permissions the client has.
Your service would sign a JWT (using a private key) and pass it to the client during authentication, which I suggest would be done by a JSON-RPC method that checks the permissions of the client (by API key, username and password or whatever). Your protected methods could then require a JWT as one of their parameters: performing their normal functionality if the JWT is verified and has the correct claims, else returning an error.
I suggest having a look at the github.com/dgrijalva/jwt-go package. It provides methods for issuing and verifying JWTs.
分享
