In TLS mutual authentication, I am aware that ClientAuth(io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth to be precise) has three modes:
But say I have two grpc service definitions. For the first one I do not want any authentication and for the next one I do want to have the strict require authentication. How to do this?
Should the server then be configured for 'Optional' mode and then an interceptor would be required to validate the client certificate based on the service being accessed by the client? If yes, then this does seem comparatively heavier, and also leaves more risk for error.
(Perhaps the previous paragraph make me sound like a lazy person and as outsourcing my security work to be done by someone else :p , but I am just trying to find out the best possible way to achieve this functionality and re-use existing frameworks instead of re-doing it)
Originally asked as a question here but have not received any response so far.
Answering my own question :
As mentioned in the comments @SanP did respond on the github issue and suggested the following:
The best thing to do is to bind these services to different ports so you can configure TLS/mTLS for each of those services as per your logic.
I agree with this and wound up doing the same before he responded. Always good to get confirmation from multiple sources.