I’m trying to use the Declarative Configuration feature and Authorization together.
The following works to demonstrate declarative configuration:
canton.parameters.enable-alpha-state-via-config = yes
canton.parameters.state-refresh-interval = 5s
canton.participants.sandbox {
alpha-dynamic {
parties = [
{party = "alice"}
{party = "bob"}
],
idps = [
{identity-provider-id = "mockauth1", issuer = "http://localhost:8080/mockissuer1", jwks-url = "http://mockauth1:8080/mockissuer1/jwks"},
{identity-provider-id = "mockauth2", issuer = "http://localhost:8081/mockissuer2", jwks-url = "http://mockauth2:8081/mockissuer2/jwks"},
],
users = [
{user = "Alice", primary-party = "alice", identity-provider-id = "mockauth1", rights = {act-as = ["alice"]}},
{user = "Bob", primary-party = "bob", identity-provider-id = "mockauth2", rights = {act-as = ["bob"]}}
]
}
}
And this works to demonstrate authorization:
canton.parameters.enable-alpha-state-via-config = yes
canton.parameters.state-refresh-interval = 5s
canton.participants.sandbox {
ledger-api.auth-services = [
{
type = jwt-jwks
url = "http://mockauth1:8080/mockissuer1/jwt"
},
{
type = jwt-jwks
url = "http://mockauth2:8080/mockissuer2/jwt"
}
]
But, if I try to use them together, the authorization seems to block the dynamic configuration:
GrpcRequestRefusedByServer: PERMISSION_DENIED
Request: Get(Id(mockauth1))
category = GenericErrorCategory(Some(PERMISSION_DENIED),
ERROR,None,true,-1,1),
)
It feels like I need a way for the dynamic configuration to do its work without needing a JWT. But I might be confused about this.
Any suggestions for what to try next?