gRPC service reflection auth

Hi! We are super excited to see gRPC service reflection launch! Unfortunately it seems the reflection call is not passing the configured authentication headers. Not sure if this is a bug or just an oversight.

We have the reflection service behind the same auth as the rest of our services (which is I think is pretty common). Would it be possible to run the configured auth workflow before the reflection call?

Thank you!


Hey @rob_mart!

At the moment this isn't supported but it is something on the team's radar. I can let you know here when it is!

awesome, thank you!

Hey @rob_mart! As of 3.10.0, gRPC reflection requests should include metadata, can you let me know if this still isn't the case for you on that version?

Hi, this still isn't sufficient as far as I can tell. We need the authentication workflow to run, which it seems it does not? We are on 3.10.1 if that helps.

Interestingly, if you manually compose the query it does seem to work. However for development purposes, there is no auto complete / list of methods to call available. So the auth headers might work on actual query, but in order for it to be useful they would also need to run throughout the IDE. (test connection for the resource also fails)

friendly ping on this, this is a pretty big blocker for us

Hi @rob_mart, sorry for such a late reply here. Will try and let you know when gRPC requests support full auth flows!

Hi, any updates here? This is becoming more and more of a challenge for us, so we are considering moving certain workflows off retool

Hi Rob! I am investigating this but I see that we do pass auth context in metadata in reflection calls. I assume you have this configured to be passed in metadata and have run the Test Auth Workflow (custom auth) or Oauth flow to populate variables.

As an aside, does your test connection fail? Test connection fetches the schema using reflection under the hood. Is there an easy way for us to repro the issue at our end? That would be super helpful

hey, thanks for looking at this! Testing it initially fails, but if i first test the auth workflow and then test the connection it will work.

When trying to actually use the resource, I'm actually seeing the following error:

Error: Error fetching schema: request to http://localhost:3002/api/getSchema failed, reason: socket hang up
    at /retool_backend/bundle/main.js:2323:99918
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

This results in no schema being fetched which makes it impossible actually select a service / rpc.

Also if i don't explicitly trigger auth it also seems to start with just "no schema".

So maybe the auth issue has now been fixed, but there is still something wrong with reflection. For context we use many other tools with reflection (such as grpcui) with no issues, so it seems to be something on the retool side.

I can't find any other relevant logs to why the getSchema is failing, but happy to check things if you have any ideas

I should also add everything works as expected with the same configuration sans reflection

Sorry, to clarify, is your Retool onprem (ie you're not using Retool cloud)? Could you try passing CA certificates in the resource configuration? We added a fix for our certificates to a yet unreleased version but this will be fixed in the next version (I can find the exact version soon).

Upload CA Certificate below: