Authentication & Authorization workflow

novusopt · June 16, 2020, 1:07pm

Hi,

I am wondering if you support OpenID Connect, because I dont find this information in the documentation.
I mean on the UI side, that’s clear the dev efforts are on our side, but what about the other components from the DA tech stack (JSON & Ledger API).

Thanks a lo!

stefanobaghino-da · June 16, 2020, 1:41pm

The authentication and authorization is a concern that needs to be addressed by specific ledger implementations.

The DAML Ledger Integration Kit has an API that needs to be implemented. This API includes an authorization service, which exposes a claim-based system that can be plugged in with whatever authorization system you want.

The sandbox includes the possibility of being set up so that calls to the the Ledger API server in front of it will be authorized based on signed JSON Web Tokens. This mechanism does not prescribe anything else and leaves a lot to the operator that wants to use a secure sandbox as its main driver against an identity provider.

DABL uses a similar approach but rolls the authentication system along with it, allowing for an easier experience.

The sandbox does not include an integration to OpenID Connect. I’ll let people more familiar with DABL speak in that regard, as I’m not knowledgeable enough about it to give you a reliable answer.

Regarding other ledger implementations, you should ask the integration maintainer and/or the ledger operator to understand what options do you have regarding authentication and authorization.

dtanabe · June 16, 2020, 1:48pm

The only thing you really need to supply a DAML SDK component is the JWKS endpoint, which is available via an OpenID Connect Well-Known Configuration link.

As an example, if you were using Google Auth to authenticate your component, you can find Google’s OIDC configuration here (https://accounts.google.com/.well-known/openid-configuration) and their JWKS URI here under the key jwks_uri (which is https://www.googleapis.com/oauth2/v3/certs). The latter link can be passed into the Sandbox configuration --auth-jwt-rs256-jwks.

stefanobaghino-da · June 16, 2020, 1:49pm

For more resources regarding authentication and authorization in DAML, I can suggest this nice blog post on how to set up a secure sandbox with Auth0 by @Robert_Autenrieth and, in case you didn’t find them, a few documentation pages about how Ledger API authentication works on a DAML ledger:

generic information about claims on the Ledger API
running the DAML SDK sandbox with authentication
(slightly more advanced) authorization for DAML ledger implementors

stefanobaghino-da · June 16, 2020, 1:50pm

Ah-ah, I didn’t know about this, looks like we do actually support more than what I thought just by following the JWT/JWKS standard. Thanks!

novusopt · June 22, 2020, 8:57am

Thank you!
I will take a look.

anthony · July 15, 2020, 2:17pm

13 posts were split to a new topic: What is the JSON API token for and how do I handle rotating it?

Topic		Replies	Views
Use Auth Middleware with Sandbox Questions	2	164	May 16, 2022
How to set authentication on production not sandbox environment? Questions	3	456	August 11, 2020
Authentication vs Authorization component Questions	1	719	April 16, 2020
Daml v2.0: Sandbox with authorization Questions daml	1	281	March 17, 2022
Secure DAML Infrastructure – Part 2 – JWT, JWKS and Auth0 News blog	0	408	December 1, 2020

Authentication & Authorization workflow

Related topics