Discussions/App Development/JWT auth questionsForum ↗

JWT auth questions

App Development5 posts579 views8 likesLast activity Apr 2021
TI
TimOP
Apr 2021

Hi everyone,

Any pointers on how to make use of participantID , ledgerID , and applicationID in JWT authentication? The docs say these “restrict the validity of the token to the given ledger, participant, or application”)

I’m looking for the other half of the story. Ledger ID seems to come from the “Ledger Identification Service” - how’s that configured? Application ID I can’t find how to set, and Participant ID is something to do with the Party Management Service but again I’m having trouble finding an example of how you might set one.

Thanks!

NY
nycnewman
Apr 2021

You can take a look at the ex-secure-daml-infra reference app. We set ApplicationID in that set of examples. The Ledger APi will enforce to make sure that the JWT token values in the custom claim match the values set in the command (i.e. a submitted command must use the same Application ID as that defined in the authorization token). The specific values would be set in the Identity Manager used to create the JWT tokens.

Similarly Ledger ID can be allowed to get set to random value on startup or you can set as a parameter when you bring up a Ledger initially.

CO
cocreature
Apr 2021
  1. Ledger ID configuration depends on the specific ledger. For Daml on SQL, there is a --ledgerid CLI parameter to set this.
  2. Application id is set on command submission by the user.
  3. Participant id is another parameter that depends on the specific ledger. On Sandbox, this is always sandbox-participant and not configurable.
TI
Tim
Apr 2021

Ok thanks, so with Participant ID, this is under the control of whatever party management service is in use by the particular ledger driver? Or is it the participant identifier, not Daml Party?

CO
cocreature
Apr 2021

It’s a participant identifier not a Daml Party. The party management service allows you to figure out the participant id of the participant you are connecting to but it’s not a party itself (and arguably it could just as well be a separate service that provides this).

In a single participant setting, this is not a very useful identifier but in a multi-participant setting it can be used to distinguish logical participant.

← Back to Discussions