Authentication & Authorization workflow

Hi,

I am wondering if you support OpenID Connect, because I dont find this information in the documentation.
I mean on the UI side, that’s clear the dev efforts are on our side, but what about the other components from the DA tech stack (JSON & Ledger API).

Thanks a lo!

The authentication and authorization is a concern that needs to be addressed by specific ledger implementations.

The DAML Ledger Integration Kit has an API that needs to be implemented. This API includes an authorization service, which exposes a claim-based system that can be plugged in with whatever authorization system you want.

The sandbox includes the possibility of being set up so that calls to the the Ledger API server in front of it will be authorized based on signed JSON Web Tokens. This mechanism does not prescribe anything else and leaves a lot to the operator that wants to use a secure sandbox as its main driver against an identity provider.

DABL uses a similar approach but rolls the authentication system along with it, allowing for an easier experience.

The sandbox does not include an integration to OpenID Connect. I’ll let people more familiar with DABL speak in that regard, as I’m not knowledgeable enough about it to give you a reliable answer.

Regarding other ledger implementations, you should ask the integration maintainer and/or the ledger operator to understand what options do you have regarding authentication and authorization.

The only thing you really need to supply a DAML SDK component is the JWKS endpoint, which is available via an OpenID Connect Well-Known Configuration link.

As an example, if you were using Google Auth to authenticate your component, you can find Google’s OIDC configuration here (https://accounts.google.com/.well-known/openid-configuration) and their JWKS URI here under the key jwks_uri (which is https://www.googleapis.com/oauth2/v3/certs). The latter link can be passed into the Sandbox configuration --auth-jwt-rs256-jwks.

For more resources regarding authentication and authorization in DAML, I can suggest this nice blog post on how to set up a secure sandbox with Auth0 by @Robert_Autenrieth and, in case you didn’t find them, a few documentation pages about how Ledger API authentication works on a DAML ledger:

• generic information about claims on the Ledger API
• running the DAML SDK sandbox with authentication
• (slightly more advanced) authorization for DAML ledger implementors

dtanabe:

The only thing you really need to supply a DAML SDK component is the JWKS endpoint, which is available via an OpenID Connect Well-Known Configuration link.

As an example, if you were using Google Auth to authenticate your component, you can find Google’s OIDC configuration here (https://accounts.google.com/.well-known/openid-configuration) and their JWKS URI here under the key jwks_uri (which is https://www.googleapis.com/oauth2/v3/certs). The latter link can be passed into the Sandbox configuration --auth-jwt-rs256-jwks.

Ah-ah, I didn’t know about this, looks like we do actually support more than what I thought just by following the JWT/JWKS standard. Thanks!

Thank you!
I will take a look.

13 posts were split to a new topic: What is the JSON API token for and how do I handle rotating it?