Multiple IAMs

Darko · April 9, 2021, 7:58am

Is there a way to specify multiple JWKS endpoints when starting a Daml Driver?

Assuming that users are split across two IAMs that are signing the JWTs with their respective keys - can I get such a scenario to work?

cocreature · April 9, 2021, 10:13am

You can only specify one JWKS endpoint. If you have multiple JWKS endpoints, you need to merge them into a single JWKS endpoint somehow.

How exactly you do that depends a bit on your setup:

Services like auth0 provide some functionality for that afaik but the details vary so refer to your specific IAM for details.
If you have disjunct key ids or you don’t use key ids, I believe you can write a relatively simple service that provides the union of all keys.
If you have overlapping key ids, I think you might be out of luck. You could try hosting two keys with the same key id (the spec says the “should” be different not “must” be different) but I have no idea if our tooling accepts this, I doubt it. Otherwise, you are probably stuck with reissuing tokens from a combined IAM which allows users to exchange tokens from one of the existing IAMs for a new one.

Topic		Replies	Views
Multiple authorization types on a ledger-api Questions ledger-api	2	167	October 5, 2022
TLS required for accessing jwks, but other than that non-encrypted communication Questions	4	489	March 8, 2021
A contract has two signers. I want to archive the contract through JsonAPI. How should the token be assembled? Questions	12	298	February 3, 2023
Auth0 - multiple audiences in access token Features & Bugs ledger-api , jwt , auth	2	873	March 27, 2023
JWT auth questions Questions daml , sdk	4	514	April 27, 2021