After using the --auth-jwt-rs256-jwks argument to activate authentication on the Daml Driver, I’m getting the following log messages:
INFO: Initialized DAML-on-SQL version 1.9.0 with ledger-id = ..., port = ..., dar file = List(...), time mode = wall-clock time, ledger = postgres, auth-service = AuthServiceJWT, contract ids seeding = strong
WARN: Authorization error: Authorization header not found
Can someone help me resolve the Warning?
This also happens with the sandbox.
This error arises if your ledger client does not set the Authorization field in the gRPC metadata. Which Ledger Client are you using? For things like daml script, navigator, … we provide an --access-token-file flag which you can use here.
Is the health endpoint also protected? I.e. do I need a valid JWT to get a response from the health endpoint?
No, the health endpoint does not require a JWT.
We are investigating which client might be the culprit. Thanks!
It looks like the reflection endpoint might require authorization so if you call the healthcheck endpoint via grpcurl, this might cause issues.
I don’t think it does, both health and reflection should be accessible without a JWT (looking at this code).
That’s odd, I definitely get an error if I try to call the healthcheck endpoint via grpcurl and I have authorization enabled. I don’t really see what other services it could call besides healthcheck and reflection.
Uh, then I must be looking at the wrong code. Apologies for the confusion.
Does that mean I need a similar JWT to the one from the JSON API? i.e. no actAs, readAs, or admin claims? It just needs to have the proper structure and signature?
That should definitely work. However, if that is required I think there is a bug somewhere. You shouldn’t need authorization to call the healthcheck endpoint and I don’t think it makes sense for the reflection endpoint either.
This turned out to be a bug which has since been fixed in the latest 1.11.0 snapshot as well as backported to version 1.10.2 of the Daml Driver for PostgreSQL.