Hi all,
The JWT’s used by the system in question hold sensitive data (outside of claims required by Daml). Therefore the IAM that produces the JWTs encrypts them.
Is it possible for the LedgerAPI to decrypt the JWE before verifying the signature, or does that need to happen further upstream? Or would you argue that the scope of the JWTs should be narrower, and no other claims outside of Daml specific ones should be present?
Thanks!
In principle a Ledger API implementation can support encrypted JTWs as authorization is outside of the scope of the Ledger API definition. To the best of my understanding, Canton and other DA-developed implementations do not provide this feature. I’m not sure whether something like this is currently on the road map for any such implementation.
As you suggested in your question. you can easily solve this by having the payload decryption happen in a proxy in front of the Ledger API.
In principle, I believe our direction is that of making sure that Ledger API implementations we are building can accept tokens that don’t need to be minted specifically for Daml application and that can be used across one or more organizations (see the new user management feature and how it uses standard claims instead of Daml-specific ones), so the scope of the JWT can be as large as you want.
More specifically though, the answer depends on your threat model. Do you trust the Ledger API server (and its operator) with the information stored on the token?