Hi all does anybody have an example of using the PAT with Or Ory Community #ory-network

Hi all, does anybody have an example of using the ...

loud-honey-70375

11/17/2022, 12:44 AM

Hi all, does anybody have an example of using the PAT with Ory Network & Ory Keto via gRPC on Node.js? I can't find any documentation on it, and was hoping the following would work, but no luck 😅

Copy code

function generateAuthorizationMetadata(params, callback) {
    const metadata = new Metadata()
    metadata.add('authorization', 'Bearer ' + options.accessToken);
    callback(null, metadata);
  }

  if (options.accessToken?.length) {
    return new CheckServiceClient(`${options.ketoCheckUri}`,
      credentials.createFromMetadataGenerator(generateAuthorizationMetadata)
    );
  }

Edit: ~~just noticed this was using 'authorization' and not 'Authorization', going to test this now~~ Still not working, I'd rather not switch over to a http client if it can be avoided

steep-lamp-91158

11/17/2022, 8:28 AM

In go we are using this approach: https://github.com/ory/keto/blob/a2a391233658404aeeb578cdf6ace75ecd312e88/cmd/client/grpc_client.go#L54 it is not strictly an oauth request, but it sets the correct header

steep-lamp-91158

11/17/2022, 8:30 AM

ah found some example in our e2e tests:

Copy code

function credentialsForToken(token?: string): grpc.ChannelCredentials {
  const metaCallback = (_: any, callback: any) => {
    const meta = new grpc.Metadata()
    if (token) {
      meta.add("authorization", "Bearer " + token)
    }
    callback(null, meta)
  }
  const callCreds = grpc.credentials.createFromMetadataGenerator(metaCallback)

  return grpc.credentials.combineChannelCredentials(
    callCreds,
  )
}

steep-lamp-91158

11/17/2022, 8:31 AM

which does look the same as yours 🤔

steep-lamp-91158

11/17/2022, 8:32 AM

ah sorry, forgot that our release pipeline is lacking a bit, and grpc support is not yet on production

steep-lamp-91158

11/17/2022, 8:32 AM

it should be very soon though

loud-honey-70375

11/17/2022, 12:21 PM

Thats great, thanks!

loud-honey-70375

11/17/2022, 12:21 PM

Is there anywhere I can track the status of this?

steep-lamp-91158

11/17/2022, 12:22 PM

not really, sorry

modern-minister-63236

11/17/2022, 2:35 PM

this concerns my efforts here, too. Does this only apply to the managed version of keto, or can I try to host it myself?

loud-honey-70375

11/17/2022, 2:39 PM

If you are self hosting it, I think the best approach is probably to use no credentials and have it on the same backend secured network

steep-lamp-91158

11/17/2022, 2:58 PM

self hosted works with grpc right now

👍 1

loud-honey-70375

11/18/2022, 4:26 PM

@steep-lamp-91158 Hi, sorry to be a bother but I'm new to gRPC and I'm basing my implementation off this test but am running into typing issues.

grpc.credentials.createFromMetadataGenerator(metaCallback);

returns type CallCredentials, but the function prototype for

grpc.credentials.combineChannelCredentials

has 2 arguments, first the channelCredentials and then callCredentials. I tried combining with insecure channel credentials,

credentials.createInsecure()

, but get the rather generic error 'Cannot compose insecure credentials'

loud-honey-70375

11/18/2022, 4:27 PM

Im guessing the test is written with Node.js/Express and not nestjs/typescript, so the there is no typing

loud-honey-70375

11/18/2022, 4:51 PM

Got it! The gRPC client doesn't allowed you to attach call credentials to an insecure connection, which makes sense, so I just needed to create a secure context for the channel, which I then attached the credentials to. I'm assuming this was omitted from the snippet you shared for security reasons

steep-lamp-91158

11/18/2022, 5:47 PM

You should be able to run all of this through TLS, that's what we do in the test. No need for insecure.

loud-honey-70375

11/18/2022, 5:49 PM

Yep, I have everything up and running perfectly now live through TLS! 😁

steep-lamp-91158

11/18/2022, 6:02 PM

Nice

15 Views

Open in Slack

Previous Next