How to set authentication on production not sandbox environment?

Questions
1

Now , i learned how to create token on sandbox . To generate tokens for testing purposes, use the jwt.io web site ,
with

{
   "https://daml.com/ledger-api": {
     "ledgerId": "aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
     "participantId": null,
     "applicationId": null,
     "admin": true,
     "actAs": ["Alice"],
     "readAs": ["Bob"]
   },
   "exp": 1300819380
}

While how to create a token on production not sandbox environment? And how to set the data ?

1 Like
2

This is a great question.

@Robert_Autenrieth wrote a blog post a few months ago titled “Easy authentication for your distributed app with DAML and Auth0”. It details how to generate tokens using Auth0 as the identity management service. This should help you create tokens that are specific to parties.

If you’d like to use a different token issuer, you’ll need to read the appropriate documentation. We chose Auth0 because we find it quite easy to use, but anything that generates JWT tokens should work. You just need a way of connecting someone’s ID in another system (whether it’s their email address, their internal corporate username, or something else) to a party name, and a JWKS endpoint to verify the token.

Because authentication is handled by the Ledger API, which is common to all DAML ledgers, I would expect the same logic to work regardless of which ledger you end up choosing. However, there will most likely be differences in how authentication endpoints are configured.

1 Like
3

Thanks @SamirTalwar . Is that means the “Authentication” and “Authorization” earlier than daml code ?So i need to auth the user before request daml api ?

4

That’s correct. When you turn on authentication, a user will need to be authenticated as a party to query the active contracts, or to create a new contract. DAML code itself is always evaluated in the context of a party, so the ledger needs to know who you are in order to do anything.

Even if you don’t have an authentication provider set up, all actions still need to be in the context of a party, as this affects which contracts you can see, as well as how you sign any new contracts. When using create-daml-app or similar client-facing logic, this is handled by allowing you to simply type your party name, so you can act as any party.