I enabled the authorization between the http json api process with the ledger api, such as daml-on-fabric. dami api is bootstrap with --access-token-file flag. I know it is for the communication with daml-on-fabric. I use postman for example to access the the service(e.g., /v1/parties) provided by daml api, I got the errors like “missing Authorization with OAuth 2.0 Bearer Token”. How could I produce the token which can access daml api well for this setting? thanks
Hi @gzuhlwang, I’ve split your question from Issue enabling TLS for DAML JSON Api into a separate thread so we can focus on the individual issues separately.
cool, thanks for your quick reply. the generated token will be used for accessing the daml api. Well, I also do not know how to generate token for accessing daml ledger when running daml-on-fabric with authentication enabled, now I use the one provided in daml-on-fabric repo.
There are two parts to this question:
- The
--access-token-file
option that you pass todaml json-api
. This is only used by the JSON API itself to request packages from the ledger. You only need this if you enabled authorization on the ledger so daml-on-fabric in your case. - The tokens used by users to make requests to the JSON API. Those need to be passed in the
Authorization
header in the formBearer <yourjwthere>
.You can find more information at https://docs.daml.com/json-api/index.html#choosing-a-party. For thelistParties
endpoint you need anadmin: true
claim in your token.
The JSON API itself does not validate tokens so if your ledger is running without authorization, you can sign your token with an arbitrary secret or key using for example https://jwt.io/ as described in the documentation linked above.
If your ledger is running with authorization it depends on how you configured it. I’m not too familiar with Fabric here but for DAML on SQL, authorization is commonly done using the --auth-jwt-rs256-jwks
option which points to a JWKS endpoint listing valid signing keys. The Ledger will then accept any token signed by one of those keys. Easy authentication for your distributed app with DAML and Auth0 - DAML describes how you can use this with Auth0.
thanks for your clear reply. daml-on-fabric provides similar option, like --auth-jwt-rs256-crt. I will follow the link and provide further feedback if possible.
From my use experince, JSON API itself does not validate correctness of tokens, but must provide one. So, what’s the best practice for securely deploying daml api in production? now, any user can access the daml json api . if I misunderstand, correct me please.
The JSON API does not validate tokens, it passes them on to the ledger which validates the tokens if you enabled authorization. So the token is being validated, just not by the JSON API directly.
I see. just now I disabled the ledger authentication. I will try it. thanks a lot.