Onboarding a new participant and using audience based JWT for user management

yavuztor · July 26, 2023, 3:05pm

The audience based JWT tokens require the audience to be https://daml.com/jwt/aud/participant/someParticipantId, however the participant id is known only after the participant node is brought up. For instance, if I have a config like

participants {
   hooli {
     ....
   }
}

I initially assumed that hooli is the participant id and set up my identity provider to give this audience to tokens: https://daml.com/jwt/aud/participant/hooli. However, canton expects the full participant id that has some hash in the end.

I am confused on how to configure my identity provider, since I don’t know the participant id until it is brought up. I am thinking that I will have to dynamically set up the identity provider after the participant joins. Can someone help me figure this out?

cocreature · July 27, 2023, 12:08pm

You’re completely right that it is difficult to setup authorization for that. That’s why Daml 2.6.1 added a new feature where you can instead configure the audience that the participant validates your token against.

The configuration looks something like this

canton {
  participants {
    participant {
      ledger-api {
        auth-services = [{
          type = jwt-rs-256-jwks
          url = "https://example.com/.well-known/jwks.json"
          target-audience = "https://example.com"
        }]
      }
    }
  }
}

Topic		Replies	Views
User Access Token Questions ledger-api , canton , auth	3	238	March 7, 2023
JWT auth questions Questions daml , sdk	4	515	April 27, 2021
How to get the participant id when auth-services is configured? Questions canton	2	100	April 30, 2024
Bootstrapping user management Questions daml , canton	0	181	June 7, 2023
Canton: how to set participant's ledger id Questions	2	611	February 10, 2022

Onboarding a new participant and using audience based JWT for user management

Related topics