Hello,
I am using below command to start daml oAuth middleware. But it results in an error.
daml oauth2-middleware
Error: You must specify one of the --auth-jwt-* flags for token verification
Error: Environment variable DAML_CLIENT_ID AND DAML_CLIENT_SECRET must not be empty
Error: oauth-auth and oauth-token values must not be empty
Can you please provide the set of commands in sequence which i needs to execute in order to start oAuth middleware service?
Hi @Rocky. I don’t think there’s any other command you have to run in order to spin up the OAuth 2.0 Auth Middleware locally. All you have to do is pass in the flags and options on which your command error’d out. You might want to have a look at the documentation for additional information about it.
Thanks Stefan for your response. Just wanted to know how would i set Environment variable DAML_CLIENT_ID AND DAML_CLIENT_SECRET. Also what would be the oauth-auth and oauth-token values. If you can provide the set of commands which can be included in daml oauth2-middleware it would be really helpful.
With regards specifically to how to set environment variables, how you do it depends on the OS you are running on. You can see how to do it here, for example (the blog post seems to cover Linux, MacOS, and Windows).
The documentation I linked has a full example that uses a configuration file (instead of environment variables), as well as detailed explanations with regards to the meaning of the relevant configuration keys. Is there something about it that doesn’t work for you?
Understood, I can execute below command to start oAuth middleware.
oauth2-middleware
–callback https://example.com/auth/cb
–address localhost
–http-port 3000
–oauth-auth https://oauth2-provider.com/auth_uri
–oauth-token https://oauth2-provider.com/token_uri
–auth-jwt-rs256-jwks https://example.com/.well-known/jwks.json
But, what would be the value shall i keep for attribute oauth-auth, oauth-token and auth-jwt-rs256-jwks , i mean what shall be the value of auth_uri , token_uri and jwks.json
It depends on your setup. You should consult the documentation for your provider with regards to what are those endpoints. For example, Auth0 has its own endpoints, which are documented here. I cannot really give you a specific answer, because it depends on your authentication provider.
One thing is not clear to me, if Daml oAuth middleware is internally calling the Provider service as you said for example Auth0 or any other IAM which also provides the access token, Then what is the benefit of oAuth middleware? Is it just a wrapper which provides the access token from other IAM or token service provider?
I want to understand the actual benefit of using Daml oAuth Middleware and the reason behind using the provider. Your quick response is highly appreciated.
This is explained in the documentation page for the Auth Middleware API. As the first paragraph says:
Daml ledgers only validate authorization tokens. The issuance of those tokens however is something defined by the participant operator and can vary significantly across deployments. This poses a challenge when developing applications that need to be able to acquire and refresh authorization tokens but don’t want to tie themselves to any particular mechanism for token issuance. The Auth Middleware aims to address this problem by providing an API that decouples Daml applications from these details. The participant operator can provide an Auth Middleware that is suitable for their authentication and authorization mechanism. Daml includes an implementation of an Auth Middleware that supports OAuth 2.0 Authorization Code Grant. If this implementation is not compatible with your mechanism for token issuance, you can implement your own Auth Middleware provided it conforms to the same API.
It’s about writing applications that are portable across environments by implementing the Auth Middleware API for your specific environment. Since OAuth 2.0 is quite a common standard, we decided to implement it ourselves and ship it with our SDK. It’s used by the Trigger Service to acquire and refresh tokens and depending on your setup you might want to decide to use it as well (or integrate directly with a specific IAM setup – losing the portability in the process, though).