Disabling --auth-jwt-rs256-crt allows parties to view encrypted data?

tiw · June 2, 2022, 7:22pm

First I run,

java -jar daml-on-sql-1.18.1.jar --ledgerid=test --sql-backend-jdbcurl='jdbc:postgresql://localhost/test?user=<test_user>' --auth-jwt-rs256-crt rsa_cert.pem

And run various scripts that create a few a contract with a party with a valid jwt token.

When I log into navigator with a valid access-token-file I can view the contracts.

However, when I run

java -jar daml-on-sql-1.18.1.jar --ledgerid=test --sql-backend-jdbcurl='jdbc:postgresql://localhost/test?user=<test_user>'

With --auth-jwt-rs256-crt disabled I can still log into the navigator as a party and view the contracts.

Why is this the case? Shouldn’t the contracts be encrypted and therefore not viewable without a valid jwt access token? Or is all the data non-encrypted and therefore --auth-jwt-rs256-crt only affects then authentication layer? Or am I running some test or sandbox configuration without realizing it?

How does this behaviour compare to Canton or other ledgers?

cocreature · June 2, 2022, 7:25pm

The authorization via JWTs is purely an access control on the API. It does not affect what data is stored and how. So you can switch between authorization flags (including disabling authorization) without any issues.

Topic		Replies	Views
Authentication Header not found after activating authentication on the Daml on SQL Driver Questions	12	417	March 3, 2021
Unable to display ledgerId Questions daml	3	381	February 9, 2022
Does the LedgerAPI support encrypted JWTs (JWEs)? Questions ledger-api	1	226	March 24, 2022
Secure DAML Infrastructure – Part 2 – JWT, JWKS and Auth0 News blog	0	408	December 1, 2020
Secure DAML Infrastructure - PKI, JWT and all that News daml , ledger-api	2	377	October 22, 2020

Disabling --auth-jwt-rs256-crt allows parties to view encrypted data?

Related topics