Multiple IAMs

Is there a way to specify multiple JWKS endpoints when starting a Daml Driver?

Assuming that users are split across two IAMs that are signing the JWTs with their respective keys - can I get such a scenario to work?


You can only specify one JWKS endpoint. If you have multiple JWKS endpoints, you need to merge them into a single JWKS endpoint somehow.

How exactly you do that depends a bit on your setup:

  • Services like auth0 provide some functionality for that afaik but the details vary so refer to your specific IAM for details.
  • If you have disjunct key ids or you don’t use key ids, I believe you can write a relatively simple service that provides the union of all keys.
  • If you have overlapping key ids, I think you might be out of luck. You could try hosting two keys with the same key id (the spec says the “should” be different not “must” be different) but I have no idea if our tooling accepts this, I doubt it. Otherwise, you are probably stuck with reissuing tokens from a combined IAM which allows users to exchange tokens from one of the existing IAMs for a new one.