request authorization with grpc (failure status code)

Maxim Dounin mdounin at
Wed Jul 3 01:17:12 UTC 2019


On Tue, Jul 02, 2019 at 11:19:54AM -0400, bmacphee wrote:

> I have an nginx configuration that passes gRPC API requests to other
> services an authorization endpoint that is used in conjunction.
> This works great when authorization is successful (my HTTP1 authorization
> endpoint returns HTTP 2xx status codes).
> When authorization fails (it returns 401), the gRPC connection initiated by
> the client receives a gRPC Cancelled(1) status code, rather than what would
> be ideal for the client - an Unauthorized (16) status code.  The status
> message appears to be populated by nginx indicating the 401 failure.
> Is there a way to control the status code returned to the gRPC channel
> during failed auth?
> I tried and failed at doing this with the below configuration.  Any non-200
> code returned by the auth failure handling results in the same cancelled
> status code even after trying to set the status code manually.  If I
> override the return with a 200 series code, it treats authorization as
> successful (which it also bad).


>     # attempt to customize grpc error code
>     proxy_intercept_errors on;
>     error_page 401 /grpc_auth_fail_page;
>   }
>   # attempt to customize grpc error code
>   location = /grpc_auth_fail_page {
>     internal;
>     grpc_set_header grpc-status 16;
>     grpc_set_header grpc-message "Unauthorized";
>     return 401;

The "grpc_set_header" directive controls headers sent to the 
backend server with grpc_pass.  In your setup you need to control 
headers returned to the client, so you have to use "add_header" 
instead.  Or, given that gRPC uses trailers as long as there is a 
response body, you may have to use "add_trailer".

Additionally, gRPC requires error code 200 for all responses.  
That is, you may have to use something like

    error_page 401 = /grpc_auth_fail_page;

    location = /grpc_auth_fail_page {
        return 200 "";

to return status code 200.

Maxim Dounin

More information about the nginx mailing list