Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

HTTP JSON API JWT Authentication

See original GitHub issue

JWT Authentication and Authorization will be implemented on the Ledger side. HTTP JSON API would not do any JWT validation by default. However we provide a functionality to override the default pass-through logic. Anyone customizing HTTP JSON API can pass validateJwt argument to com.digitalasset.http.HttpService#start: https://github.com/digital-asset/daml/blob/689d4d876ca168e0d680a9e24a3d23e53a22c6b4/ledger-service/http-json/src/main/scala/com/digitalasset/http/HttpService.scala#L44-L49

JWT pass-through is blocked by: #2523 also depends on: #2540

Issue Analytics

State:
Created 4 years ago
Comments:11 (8 by maintainers)

Top GitHub Comments

1reaction

gerolf-dacommented, Aug 22, 2019

@darkedges: great questions, thank you. Let me put some more color to these statements:

Regarding not verifying the token in this layer: How we currently envision the Ledger API Authentication story to pan out is the following:

The operator of a ledger needs to integrate the ledger into some identity management system.
The Ledger API Server will provide a hook for the ledger operator to implement token validation. It is up to the ledger operator to do this as they see fit.
The High Level API (i.e. HTTP JSON API) currently simply operates just like any other ledger application and can be run by any user. Therefore it cannot do the actual validation (it doesn’t know the secret or the keys), but can only pass on the received token to the Ledger API Server, which will then do the validation.

On the topic of requiring unencrypted tokens, this is mostly a “restriction” for convenience in the experimental stage of the High Level API. We are aware that it is practice to put some claims into the unencrypted header.

This is mostly just a preview of what is to come in the next couple of weeks, as we spec out the Ledger API authentication story for the whole stack.

0reactions

leo-dacommented, Aug 26, 2019

See #2658

Top Results From Across the Web

JSON Web Token Introduction - jwt.io

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties...

How to secure a REST API using JWT authentication

In this article, we'll cover one very powerful yet simple way to secure a REST API using JSON Web Tokens (JWT), reviewing some...

Calling an API secured with a JSON Web Token (JWT) - IBM

JSON Web Token (JWT) is an open standard that defines a compact and URL-safe way to securely transmit information as a JSON object...

JSON Web Token Authentication

This topic provides information about authenticating REST API requests with JSON Web Token (JWT) authentication. For code that you can use to authenticate...

API keys vs JWT authorization: Which is best? | Algolia Blog

Sometimes, API keys are sufficient; more often, JWT (JSON Web ... As described in the next sections, JWT centralizes authentication ...