Use Auth Middleware with Sandbox

Hi everyone!

In order to understand Authorizations with daml ledger I would like to make a simple daml app using the Auth Middleware.
Is it possible to do so? If yes, is there any resources that could help me for this ?


It is definitely possible to do so.

Note that you don’t necessarily have to use an Auth Middleware implementation (like the OAuth 2.0 Middleware that ships with the SDK) to work with authorization.

There are two main cases when it comes to handling Ledger API authorization tokens:

  • you don’t need to hold on to a token: your Daml app can perform its duties by asking the user to give a token that will be used to serve the request. One good example from the SDK is the HTTP JSON API Service, which requires a token to be provided. The token will be used to allow the user to issue a command or, if querying, update the HTTP JSON API Service’s query store, before returning the result based on the updated state.
  • you need to hold on to a token: your Daml app needs to update its internal state continuously in order to function properly and needs to possibly refresh your token periodically. One example of such case in the SDK is the Trigger Service, which needs to be running at all times since the processing of a trigger is started as an event happens on the ledger, not by a user or service that itself owns and manages a token. This is the case where building an application against the Auth Middleware helps (as you can imagine, that’s precisely what the Trigger Service does).
  1. Which of the two cases do you need to use in your app?
  2. If you indeed need to use the Auth Middleware, a good starting point would be its documentation. I’d be very happy to listen about information you were looking for that you believe is missing from there.

Thank you for this answer.
My goal is to create a training for developers who want to create a project on Daml to have a global understanding of how Daml and Canton work and to use it as a basic template for any kind of project.

And for that I need the authorization part which is something I don’t master at all.

I have already done a whole part with the HTTP JSON API where indeed we use JWTs but these JWTs are all built in the same way so we only need to know the identifier of a party and we can pretend to be him towards the ledger.

I would like to set up a system that manages these authorizations that is as basic as possible so that it is easy to understand.
I have looked at the documentation but I must admit that I still have trouble understanding how it works