I was experimenting with RPC as alternative to some services actually implemented using http REST APIs. Since this services are actually not public and are used only by other services using RPC could make more sense.
I'm looking for some hint regarding RPC authorization best practices since I'm really not sure about the way to follow.
I'm using golang for this
how do I make sure an RPC get used only by authorized services
can I authorize only a subset of the exposed procedures
Thx
我正在尝试使用RPC作为使用HTTP REST API实际实现的某些服务的替代方法。 由于此服务实际上是不公开的,并且仅由使用RPC的其他服务使用才更有意义。
我正在寻找有关RPC授权最佳做法的一些提示 自从我真的
我正在为此使用golang
我如何确定 RPC仅由授权服务使用
我可以仅授权暴露过程的子集
Thx
You could handle authorisation in a similar way to authorisation of REST services.
JSON Web Tokens (JWT) are a widely used authorisation method. You can find demonstrations and a conceptual overview of JWTs at jwt.io. In brief, JWTs are a signed JSON object, encoded as a string. The JSON object can make any number of arbitrary "claims" about the permissions the client has.
Your service would sign a JWT (using a private key) and pass it to the client during authentication, which I suggest would be done by a JSON-RPC method that checks the permissions of the client (by API key, username and password or whatever). Your protected methods could then require a JWT as one of their parameters: performing their normal functionality if the JWT is verified and has the correct claims, else returning an error.
I suggest having a look at the github.com/dgrijalva/jwt-go package. It provides methods for issuing and verifying JWTs.
微信扫一扫