Assume the following:
--auth-jwt-rs256-jwks argument.Is there a way for me to start the Daml Driver such that it uses TLS to collect the JWKS but not use TLS for communication with the clients?
Or do I have to use a reverse proxy for this scenario?
The TLS options accepted by the Daml Driver for PostgreSQL and most other ledgers only affect the gRPC connection. The connection to the JWKS endpoint is completely independent of that. If you want an HTTPS connection, specify an HTTPS url for the JWKS endpoint. So simply don’t specify any TLS parameters and specify an HTTPS url for the JWKS endpoint and you should get what you want.
Thanks. One correction to the last assumption:
How about now? 
Good question, there is no CLI flag for that. The JWKS connection is made via jwks-rsa-java/UrlJwkProvider.java at a60fe38b17b72a269051274e053d0c8de1376b73 · auth0/jwks-rsa-java · GitHub.
Afaik, you can set the client certificate and potential password via the following two JVM properties:
-Djavax.net.ssl.keyStore=client.p12
-Djavax.net.ssl.keyStorePassword=certpwd
However, I’ve not tried that myself since I don’t have a JWKS setup that requires mutual mTLS.
It does seem a bit odd to require this, I’m not quite sure what you are protecting against here. The JWKS endpoint only contains public keys and no confidential data. Limiting access seems only useful to protect ddos or something like that and for that, mTLS seems like the wrong solution.
Thanks a lot @cocreature.
Agreed, mTLS seems unnecessary here. I am primarily interested in what options are available.