Discussions/App Development/Declarative configuration with authorizationForum ↗

Declarative configuration with authorization

App Development2 posts61 views3 likesLast activity Dec 2025
WA
WallaceKellyOP
Nov 2025

I’m trying to use the Declarative Configuration feature and Authorization together.

The following works to demonstrate declarative configuration:

canton.parameters.enable-alpha-state-via-config = yes
canton.parameters.state-refresh-interval = 5s

canton.participants.sandbox {

  alpha-dynamic {
    parties = [
      {party = "alice"}
      {party = "bob"}
    ],
    idps = [
      {identity-provider-id = "mockauth1", issuer = "http://localhost:8080/mockissuer1", jwks-url = "http://mockauth1:8080/mockissuer1/jwks"},
      {identity-provider-id = "mockauth2", issuer = "http://localhost:8081/mockissuer2", jwks-url = "http://mockauth2:8081/mockissuer2/jwks"},
    ],
    users = [
      {user = "Alice", primary-party = "alice", identity-provider-id = "mockauth1", rights = {act-as = ["alice"]}},
      {user = "Bob", primary-party = "bob", identity-provider-id = "mockauth2", rights = {act-as = ["bob"]}}
    ]
  }
}

And this works to demonstrate authorization:

canton.parameters.enable-alpha-state-via-config = yes
canton.parameters.state-refresh-interval = 5s

canton.participants.sandbox {

  ledger-api.auth-services = [
    {
      type = jwt-jwks
      url = "http://mockauth1:8080/mockissuer1/jwt"
    },
    {
      type = jwt-jwks
      url = "http://mockauth2:8080/mockissuer2/jwt"
    }
  ]

But, if I try to use them together, the authorization seems to block the dynamic configuration:

GrpcRequestRefusedByServer: PERMISSION_DENIED
  Request: Get(Id(mockauth1))
  category = GenericErrorCategory(Some(PERMISSION_DENIED),
  ERROR,None,true,-1,1),
)

It feels like I need a way for the dynamic configuration to do its work without needing a JWT. But I might be confused about this.

Any suggestions for what to try next?

RA
Ratko_Veprek
Dec 2025

Yes. There was some security hardening. The declarative API actually works through the Ledger API. Which means it needs to authenticate itself. It uses an internally generated short lived random token for this. Now that token is short lived but needs admin rights. So by default, these admin rights are turned off and need to be re-enabled if necessary:

canton.participants.ABC.ledger-api.admin-token-config.admin-claim = true

← Back to Discussions