JWT Proxy recommendations

Is there a recommended JWT Proxy out there?

We cannot change the customer’s oauth2 provider and need to inject claims as well as support m2m token refresh. Seems like a JWT Proxy/reverse proxy makes sense, but I can be wrong.

And how does the new auth middleware fit here?

Per

1 Like

The new auth middleware tries to bridge between an auth provider that provides tokens that are already in the format expected by the ledger (meaning atm the JWTs you’re used to with the corresponding claims) and components like the trigger service which should not be tied to a specific auth provider. It does not bridge the gap between an auth provider that provides different tokens and the ledger which expects a different token format.

I don’t have any personal experience here but let me ask around and get back to you.

1 Like

Do you mean AuthProvider_A issues a token like:

{
  "administrator": true,
  "application": "foobar",
  "user": "Alice",
  "services": [
    "MyLedger"
  ]
}

and we would have a bridge which would to turn this into:

{
  "https://daml.com/ledger-api": {
    "ledgerId": "MyLedger",
    "applicationId": "foobar",
    "actAs": ["Alice"],
    "admin": true
  }
}
1 Like

Exactly.

I found this one GitHub - eclipse/che-jwtproxy.
And some of the code in GitHub - digital-asset/ex-secure-daml-infra: Reference example of a secure Ledger deployment using mTLS and JWT tokens might do some of this too.

1 Like

I am the author of the ref app (ex-secure-daml-infra). It doesn’t specifically address this (the translation of claims). It might be possible to use a service like Auth0 to do this for you but I have not looked into this. Effectively the proxy also needs to be a JWT signer itself as the ledger would be configured to trust the proxy and the proxy the original source of tokens.

Auth0 and others, might allow you to map authenticate from source into Auth0 including claims and then use Rules to map claim to new format.

1 Like

Yes, auth0 is a no-brainer, we cannot modify the initial token provider, we need to modify in-flight.
Going to try with GitHub - eclipse/che-jwtproxy.

1 Like