Auth-services, certificates, IdPs, and issuer?

WallaceKelly · July 14, 2025, 4:15pm

In Configure authorization services, the Canton docs describe how to assign a certificate for verification of JWTs:

  ledger-api {
    auth-services = [{
      // type can be
      //   jwt-rs-256-crt
      //   jwt-es-256-crt
      //   jwt-es-512-crt
      type = jwt-rs-256-crt
      // we need a certificate file (abcd.cert)
      certificate = ${JWT_CERTIFICATE_FILE}
    }]

I would have expected a issuer = ..... field in this configuration or maybe an identity_provider_id. For example, the Ledger API’s IdentityProviderConfig message allows one to configure JWKS-based verification with an issuer field:

  final case class IdentityProviderConfig(
      identityProviderId: IdentityProviderId.Id,
      isDeactivated: Boolean = false,
      jwksUrl: JwksUrl,
      issuer: String,
      audience: Option[String],
  )

Questions:

For locally installed certificate-based verification, should the JWT’s iss: field be “”? or is it ignored?
What is the connection between IdP configuration and the auth-services configuration?
Am I confused about the big picture? Or has cert-based verification simply not caught up with newer configuration features?

Topic		Replies	Views
Authorization in Canton Questions	13	577	July 10, 2022
Using public keys for verifying JWTs Questions ledger-api , jwt	2	242	May 27, 2022
If a Canton Participant has no Auth configured, do I still need a JWT for the Ledger API? Questions ledger-api , jwt	2	359	May 25, 2022
How do I check canton participant configuration? Questions canton	1	449	April 26, 2022
Authorization with different ledgers Questions	1	314	April 16, 2020

Auth-services, certificates, IdPs, and issuer?

Related topics