Disabling --auth-jwt-rs256-crt allows parties to view encrypted data?

tiw · June 2, 2022, 7:22pm

First I run,

java -jar daml-on-sql-1.18.1.jar --ledgerid=test --sql-backend-jdbcurl='jdbc:postgresql://localhost/test?user=<test_user>' --auth-jwt-rs256-crt rsa_cert.pem

And run various scripts that create a few a contract with a party with a valid jwt token.

When I log into navigator with a valid access-token-file I can view the contracts.

However, when I run

java -jar daml-on-sql-1.18.1.jar --ledgerid=test --sql-backend-jdbcurl='jdbc:postgresql://localhost/test?user=<test_user>'

With --auth-jwt-rs256-crt disabled I can still log into the navigator as a party and view the contracts.

Why is this the case? Shouldn’t the contracts be encrypted and therefore not viewable without a valid jwt access token? Or is all the data non-encrypted and therefore --auth-jwt-rs256-crt only affects then authentication layer? Or am I running some test or sandbox configuration without realizing it?

How does this behaviour compare to Canton or other ledgers?

cocreature · June 2, 2022, 7:25pm

The authorization via JWTs is purely an access control on the API. It does not affect what data is stored and how. So you can switch between authorization flags (including disabling authorization) without any issues.

Topic		Replies	Views
Does the LedgerAPI support encrypted JWTs (JWEs)? Questions ledger-api	1	190	March 24, 2022
Secure DAML Infrastructure – Part 2 – JWT, JWKS and Auth0 News blog	0	385	December 1, 2020
TLS required for accessing jwks, but other than that non-encrypted communication Questions	4	414	March 8, 2021
Daml Training Platform: Episode 5 Command Query Questions daml , training , platform	3	1155	June 11, 2021
How do I use custom JWT decoding "secret" while running DAML json-api? Questions daml	8	602	June 30, 2020

Disabling --auth-jwt-rs256-crt allows parties to view encrypted data?

Related Topics