Unable to display ledgerId

Frankie · February 4, 2022, 5:56am

Hi there, after upgrade to 1.18.0 the authentication token stopped working. When trying to call showLedgerId, I got the following error on the Daml_Ledger_API side.

2022-02-04T06:08:00,892,+0000|WARN ||c.d.l.a.a.AuthServiceJWT$|ForkJoinPool-5-worker-6|||||Authorization error: Could not verify JWT token: com.auth0.jwk.SigningKeyNotFoundException: Cannot obtain jwks from url *****jwks url*****||
2022-02-04T06:08:00,894,+0000|WARN ||c.d.l.a.a.Authorizer|program-resource-pool-14|||||UNAUTHENTICATED(6,0): The command is missing a JWT token|{participantId: "p28b71c03_f3f5_45e0_b059_ba8b73b75bf2", err-context: "{location=ErrorFactories.scala:436}"}|

And error messages from the caller are

16:19:54.442 [main] ERROR a.c.a.t.util.ConnectionManager - [RESULT] Status{code=UNAUTHENTICATED, description=An error occurred. Please contact the operator and inquire about the request <no-correlation-id>, cause=null}
16:19:54.442 [main] ERROR a.c.a.t.util.ConnectionManager - [ERROR DESCRIPTION] java.util.concurrent.ExecutionException: io.grpc.StatusRuntimeException: UNAUTHENTICATED: An error occurred. Please contact the operator and inquire about the request <no-correlation-id>

Environment:
vmWare release 1.5
Daml SDK 1.18.0

cocreature · February 4, 2022, 7:45am

Is your JWKS server reachable from the machine your participant is running on?

Frankie · February 8, 2022, 11:00pm

We found the issue. The JWKS server tls certificate was not valid and causing the https call failure.

Just curious that if it is possible to add more error logging into the Ledger API layer? I’d assume that the Ledger API layer caught the exceptions as well but somehow not logged.

Marcin_Ziolek · February 9, 2022, 1:46pm

The error returned by the auth0 library class com.auth0.jwk.UrlJwkProvider is actually visible in the log snippet provided. It is returned when it is asked to resolve key on a dead jwks endpoint:

com.auth0.jwk.SigningKeyNotFoundException: Cannot obtain jwks from url *****jwks url*****

I doubt anything of interest happens outside of that call, so the only thing that could shed more light on this occurrence is to elevate the log-level of the com.auth0.jwk.UrlJwkProvider itself. This could be rather chatty though, and I would be reluctant to do that.

Topic		Replies	Views
JWKS URL not working Questions ledger-api	12	3872	October 18, 2021
Findings about user management and JWT Questions daml	5	248	March 16, 2022
Authentication Header not found after activating authentication on the Daml on SQL Driver Questions	12	417	March 3, 2021
Daml v2.0: Sandbox with authorization Questions daml	1	281	March 17, 2022
io.grpc.StatusRuntimeException: PERMISSION_DENIED with Java Bindings against Daml Hub Questions damlhub , grpc , ledger-api	2	459	March 21, 2023

Unable to display ledgerId

Related topics