Auth-services, certificates, IdPs, and issuer?

Questions
1

In Configure authorization services, the Canton docs describe how to assign a certificate for verification of JWTs:

  ledger-api {
    auth-services = [{
      // type can be
      //   jwt-rs-256-crt
      //   jwt-es-256-crt
      //   jwt-es-512-crt
      type = jwt-rs-256-crt
      // we need a certificate file (abcd.cert)
      certificate = ${JWT_CERTIFICATE_FILE}
    }]

I would have expected a issuer = ..... field in this configuration or maybe an identity_provider_id. For example, the Ledger API’s IdentityProviderConfig message allows one to configure JWKS-based verification with an issuer field:

  final case class IdentityProviderConfig(
      identityProviderId: IdentityProviderId.Id,
      isDeactivated: Boolean = false,
      jwksUrl: JwksUrl,
      issuer: String,
      audience: Option[String],
  )

Questions:

  • For locally installed certificate-based verification, should the JWT’s iss: field be “”? or is it ignored?
  • What is the connection between IdP configuration and the auth-services configuration?
  • Am I confused about the big picture? Or has cert-based verification simply not caught up with newer configuration features?
2

auth-services controls how JWTs are verified (algorithm, local cert or JWKS, audience/scope), while IdentityProviderConfig is a higher-level layer for multi–identity-provider setups that use JWKS and iss/aud to route tokens to the right IdP. When you use a locally installed certificate (jwt-*-crt), you’re effectively using only the default identity provider, so the JWT’s iss claim is either ignored or treated as the default IdP and can be empty/omitted. You’re not missing anything conceptually, cert-based verification just predates the newer multi-IdP configuration and normally serves the default IdP, whereas extra IdPs are configured dynamically via IdentityProviderConfig and JWKS.