Findings about user management and JWT

kctam · March 16, 2022, 6:22am

Hi team,

I am testing the two types of JWTs per document here.

The user access token is working well.

When I tried the Custom Daml claims access tokens, I found that the applicationId becomes significant and is linked to the userId.

Below is my findings. I am using the daml new project the sample Daml code, using Sandbox, script Main:setup, and JSON-API for testing.

if I used this

{
   "https://daml.com/ledger-api": {
     "ledgerId": null,
     "participantId": "sandbox",
     "applicationId": null,
     "admin": false,
     "actAs": ["Alice::1220a0ca8969b5cdef3572e27ee6ca6cd227efb85fc4e289b1971590fc2520b4f6ba"]
   },
   "exp": 1963027803
}

I got this error

{
    "errors": [
        "This user token contains no applicationId/userId"
    ],
    "status": 401
}

From the error message it seems applicationId is relevant to userId.

Then I tried to use the userId (alice and bob) on applicationId, that is, alice and bob. It works fine even without the actAs. I also tried to use charlie which is not a valid userId, then I received this error message.

{
    "errors": [
        "NOT_FOUND: USER_NOT_FOUND(11,0): list user rights failed for unknown user \"charlie\""
    ],
    "status": 404
}

Is this a design intent linking the userId to applicationId? It seems this is not what’s described in the doc.

Many thanks in advance.

kc

stefanobaghino-da · March 16, 2022, 8:27am

We’re in a transition phase in which we are slowly moving towards using user tokens over claim tokens (with the latter still staying for the foreseeable future).

My recommendation is to use user tokens if you can and fall back to claim tokens only if you really have to.

If for any reason you need to work in an environment where the IAM needs to issue claim tokens but your ledger supports user tokens, than yes: we will use the applicationId as the userId in this circumstance. Ideally this should only be a transition and the IAM should align itself with the new user management feature that got into Daml 2.0.

The new format doesn’t have custom claims and by using standard ones we hope it to be easier to deal with. In particular, it allows to fine tune user access control on the ledger without unloading the weight on the IAM by requiring very complex tokens.

Would you mind pointing me at the documentation page you found confusing and/or misleading? Happy to have a look and see if we can improve it.

kctam · March 16, 2022, 9:02am

Thanks @stefanobaghino-da for your prompt reply.

I agree that using user token is much better. The document I mentioned is more about applicationId (link) relevant to userId. If it is just in transition, then it should be ok.

Thanks again.

kc

stefanobaghino-da · March 16, 2022, 1:12pm

Are you using the Ledger API directly or through the HTTP JSON API?

kctam · March 16, 2022, 1:58pm

For this test I’m using JSON-API.

stefanobaghino-da · March 16, 2022, 1:59pm

Ok, then a clarification: what I said applies specifically to the HTTP JSON API, not the Ledger API.

Topic		Replies	Views
Application-id as user-id required in executing script with authorization Questions daml	4	207	March 31, 2022
JWT auth questions Questions daml , sdk	4	483	April 27, 2021
JWT payload needs participantId? New to Daml	1	253	July 14, 2022
Token for user management Questions ledger-api	1	150	April 29, 2022
Claims in JWT for multi-party submission using JSON API Questions daml , json-api	7	470	April 14, 2021

Findings about user management and JWT

Related Topics