Token to be used when allocating a new party

Hi,
I am building a mini project using daml, I still not get an overview on how my user can signup to my app and allocate party after they signup using auth0. Here is what I am confused about. Hoping I can get help :slight_smile:

  1. Done setup an M2M on auth0
  2. what token I will use to call /allocate/party using JSON API?
  3. Was it token of userAdmin party that I defined in DAML?
  4. From my understanding the token generated by Auth0 is the one I will use on this payload when calling /v1/parties/allocate
    {
    “identifierHint”: ,
    “displayName”:
    }
  5. I am also confused on what value I will placed on JWKS to confirm the token

My ledger is already hosted on daml hub.

Thank you and looking forward on your response :slight_smile:

1 Like

Hi @ariscatan ,

On Daml Hub, there are two ways to onboard a user to your application:

The Recommended Way

When you create a ledger on Daml Hub, that ledger gets an ID.

image

Anyone that knows that Ledger ID can get a party on that ledger by logging into Daml Hub supplying that ledger id. This is done by navigating to https://login.projectdabl.com/auth/login?ledgerId=${ledgerId} ad then reading out cookies. The full login flow for this is demonstrated in the create-daml-app template: daml/LoginScreen.tsx.template at 93c07f41fadf9c446ff6bf9c51381f7e2946653f · digital-asset/daml · GitHub

The advantage of this method is that the user controls their party and you just use Daml Hub’s authenitcation system Auth0 to log in. No need for you to authenticate users.

The Other Way

Daml Hub allows you as a ledger operator to manually allocate parties and create “Service Accounts” for them. Using that mechanism you can control all party identities, issue JWT access tokens for them, etc. and thus put your own auth system in front of Daml Hub.

Unless you have very good reasons for doing so, I would not recommend it. It’s much more difficult and goes against the ethos of distributed ledgers.

4 Likes

Hi @bernhard, many thanks for the in detail post!

I was wondering… is there a way to login to a daml hub deployed application as the UserAdmin?

I made a specific UI which is meant to be used only by the user admin to approve new users inside my app. I don’t want the useradmin to have to go to the DAML Hub console to do this, it would be ideal for me to have a way to assign a UserName and Password that I can give to my userAdmin so that they can sign in to my app and approve new users from the custom UI I made.

Many thanks,

You can do that with with the Service Accounts I mentioned. if you want a simple username/password login without going via Hub’s Auth0, you are for all intents and purposes integrating your own IAM system.

I advise against that route for both security and complexity reasons. If I understand you correctly, you’d be exchanging a secure OAuth2 login flow with a static username/password combo validated by the application. And you’d be doing so for one of the most powerful roles - the user admin.
As for complexity, integrating your own IAM system requires you to build a constantly running backend component that can exchange a token from your IAM system for a token from Hub’s IAM system. It would need to be authenticated with Hub through a Service Account, and keep refreshing its access at least every 30 days.

1 Like

To add on to what @bernhard has said, a Service Account seems like the best option here. You may allocate a service account credential tied to the UserAdmin party, and share the credential to your admin user.

In your frontend code, you’ll add a login form that accepts the SA Credential and issues a call to to the SA Login endpoint: https://hub.daml.com/docs/api/#operation/saLogin

With JavaScript fetch, the code may look like this:

function saLogin(cred) {
  return fetch('/.hub/v1/sa/login', {
    method: 'POST',
    headers: {
      Authorization: 'Basic ' + btoa(cred),
    },
  })
    .then(response => response.json())
    .then(json => json.access_token);
}

(Note that for Basic auth, you must encode the credential in base64 for safety)

That resulting json.access_token will be a JWT for the UserAdmin ledger party, which can then be used to authenticate to ledger API calls

2 Likes