Discussions/App Development/Authentication Header not found after activating authentication on the Daml on SQL DriverForum ↗

Authentication Header not found after activating authentication on the Daml on SQL Driver

App Development13 posts465 views14 likesLast activity Mar 2021
DA
DarkoOP
Feb 2021

After using the --auth-jwt-rs256-jwks argument to activate authentication on the Daml Driver, I’m getting the following log messages:

INFO: Initialized DAML-on-SQL version 1.9.0 with ledger-id = ..., port = ..., dar file = List(...), time mode = wall-clock time, ledger = postgres, auth-service = AuthServiceJWT, contract ids seeding = strong

WARN: Authorization error: Authorization header not found

Can someone help me resolve the Warning?

DA
Darko
Feb 2021

This also happens with the sandbox.

CO
cocreature
Feb 2021

This error arises if your ledger client does not set the Authorization field in the gRPC metadata. Which Ledger Client are you using? For things like daml script, navigator, … we provide an --access-token-file flag which you can use here.

DA
Darko
Feb 2021

Is the health endpoint also protected? I.e. do I need a valid JWT to get a response from the health endpoint?

ST
stefanobaghino-da
Feb 2021

No, the health endpoint does not require a JWT.

DA
Darko
Feb 2021

We are investigating which client might be the culprit. Thanks!

CO
cocreature
Feb 2021

It looks like the reflection endpoint might require authorization so if you call the healthcheck endpoint via grpcurl, this might cause issues.

ST
stefanobaghino-da
Feb 2021

I don’t think it does, both health and reflection should be accessible without a JWT (looking at this code).

CO
cocreature
Feb 2021

That’s odd, I definitely get an error if I try to call the healthcheck endpoint via grpcurl and I have authorization enabled. I don’t really see what other services it could call besides healthcheck and reflection.

ST
stefanobaghino-da
Feb 2021

Uh, then I must be looking at the wrong code. Apologies for the confusion.

DA
Darko
Feb 2021

Does that mean I need a similar JWT to the one from the JSON API? i.e. no actAs, readAs, or admin claims? It just needs to have the proper structure and signature?

CO
cocreature
Feb 2021

That should definitely work. However, if that is required I think there is a bug somewhere. You shouldn’t need authorization to call the healthcheck endpoint and I don’t think it makes sense for the reflection endpoint either.

CO
cocreature
Mar 2021

This turned out to be a bug which has since been fixed in the latest 1.11.0 snapshot as well as backported to version 1.10.2 of the Daml Driver for PostgreSQL.

← Back to Discussions