In TLS mutual authentication, I am aware that ClientAuth(io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth to be precise) has three modes:
- None - Server does not request for any client certificate
- Optional - Server requests for a client certificate but whether it is valid or not server will allow it pass through
- Require - Client must provide a valid certificate
But say I have two grpc service definitions. For the first one I do not want any authentication and for the next one I do want to have the strict require authentication. How to do this?
Should the server then be configured for 'Optional' mode and then an interceptor would be required to validate the client certificate based on the service being accessed by the client? If yes, then this does seem comparatively heavier, and also leaves more risk for error.
(Perhaps the previous paragraph make me sound like a lazy person and as outsourcing my security work to be done by someone else :p , but I am just trying to find out the best possible way to achieve this functionality and re-use existing frameworks instead of re-doing it)
Originally asked as a question here but have not received any response so far.
