Packages

package auth

Ordering
  1. Alphabetic
Visibility
  1. Public
  2. Protected

Package Members

  1. package client
  2. package interceptor
  3. package services

Type Members

  1. trait AuthService extends AnyRef

    An interface for authorizing the ledger API access to a participant.

    An interface for authorizing the ledger API access to a participant.

    The AuthService is responsible for converting request metadata (such as the HTTP headers) into a ClaimSet. These claims are then used by the ledger API server to check whether the request is authorized.

    - The authorization information MUST be specified in the Authorization header. - The value of the Authorization header MUST start with Bearer (notice the trailing space of the prefix). - An AuthService implementation MAY use other headers when converting metadata to claims.

    For example, a participant could: - Ask all ledger API users to attach an Authorization header with a JWT token as the header value. - Implement decodeMetadata() such that it reads the JWT token from the corresponding HTTP header, validates the token, and converts the token payload to ClaimSet.

  2. class AuthServiceJWT extends AuthService with NamedLogging

    An AuthService that reads a JWT token from a Authorization: Bearer HTTP header.

    An AuthService that reads a JWT token from a Authorization: Bearer HTTP header. The token is expected to use the format as defined in AuthServiceJWTPayload:

  3. sealed abstract class AuthServiceJWTPayload extends Product with Serializable

    All the JWT payloads that can be used with the JWT auth service.

  4. sealed abstract class AuthorizationError extends AnyRef
  5. final class Authorizer extends NamedLogging with TelemetryTracing

    A simple helper that allows services to use authorization claims that have been stored by com.digitalasset.canton.ledger.api.auth.interceptor.AuthorizationInterceptor.

  6. class CachedJwtVerifierLoader extends JwtVerifierLoader

    A JWK verifier loader, where the public keys are automatically fetched from the given JWKS URL.

    A JWK verifier loader, where the public keys are automatically fetched from the given JWKS URL. The keys are then transformed into JWK Verifier

    The verifiers are kept in cache, in order to prevent having to do a remote network access for each token validation.

    The cache is limited both in size and time. A size limit protects against infinitely growing memory consumption. A time limit is a safety catch for the case where a public key is used to sign a token without an expiration time and then is revoked.

  7. sealed abstract class Claim extends AnyRef

    A claim is a single statement about what an authenticated user can do with the ledger API.

    A claim is a single statement about what an authenticated user can do with the ledger API.

    Note: this ADT is expected to evolve in the future by adding new cases for more fine grained claims. The existing cases should be treated as immutable in order to guarantee backwards compatibility for AuthService implementations.

  8. final case class ClaimActAsParty(name: Party) extends Claim with Product with Serializable

    Authorized to act as the given party, including: - Reading all data for the given party - Creating contracts on behalf of the given party - Exercising choices on behalf of the given party

  9. final case class ClaimReadAsParty(name: Party) extends Claim with Product with Serializable

    Authorized to read all data for the given party.

    Authorized to read all data for the given party.

    Does NOT authorize to issue commands.

  10. sealed trait ClaimSet extends AnyRef
  11. final case class CustomDamlJWTPayload(ledgerId: Option[String], participantId: Option[String], applicationId: Option[String], exp: Option[Instant], admin: Boolean, actAs: List[String], readAs: List[String]) extends AuthServiceJWTPayload with Product with Serializable

    A JWT token payload constructed from custom claims specific to Daml ledgers.

    A JWT token payload constructed from custom claims specific to Daml ledgers.

    ledgerId

    If set, the token is only valid for the given ledger ID. May also be used to fill in missing ledger ID fields in ledger API requests.

    participantId

    If set, the token is only valid for the given participant ID. May also be used to fill in missing participant ID fields in ledger API requests.

    applicationId

    If set, the token is only valid for the given application ID. May also be used to fill in missing application ID fields in ledger API requests.

    exp

    If set, the token is only valid before the given instant. Note: This is a registered claim in JWT

    admin

    Whether the token bearer is authorized to use admin endpoints of the ledger API.

    actAs

    List of parties the token bearer can act as. May also be used to fill in missing party fields in ledger API requests (e.g., submitter).

    readAs

    List of parties the token bearer can read data for. May also be used to fill in missing party fields in ledger API requests (e.g., transaction filter).

  12. class IdentityProviderAwareAuthServiceImpl extends IdentityProviderAwareAuthService with NamedLogging
  13. trait IdentityProviderConfigLoader extends AnyRef
  14. trait JwtVerifierLoader extends AnyRef
  15. final case class StandardJWTPayload(issuer: Option[String], userId: String, participantId: Option[String], exp: Option[Instant], format: StandardJWTTokenFormat, audiences: List[String], scope: Option[String]) extends AuthServiceJWTPayload with Product with Serializable

    Payload parsed from the standard "sub", "aud", "exp", "iss" claims as specified in https://datatracker.ietf.org/doc/html/rfc7519#section-4.1

    Payload parsed from the standard "sub", "aud", "exp", "iss" claims as specified in https://datatracker.ietf.org/doc/html/rfc7519#section-4.1

    issuer

    The issuer of the JWT.

    userId

    The user that is authenticated by this payload.

    participantId

    If not set, then the user is authenticated for any participant node that accepts the JWT issuer. We expect this to be used for development only. If set then the user is authenticated for the given participantId.

    exp

    If set, the token is only valid before the given instant.

    audiences

    If non-empty and it is an audience-based token, the token is only valid for the intended recipients.

  16. sealed trait StandardJWTTokenFormat extends AnyRef

    There are two JWT token formats which are currently supported by StandardJWTPayload.

    There are two JWT token formats which are currently supported by StandardJWTPayload. The format is identified by aud claim.

Value Members

  1. object AuthService
  2. object AuthServiceJWT
  3. object AuthServiceJWTCodec

    Codec for writing and reading AuthServiceJWTPayload to and from JSON.

    Codec for writing and reading AuthServiceJWTPayload to and from JSON.

    In general: - All custom claims are placed in a namespace field according to the OpenID Connect standard. - Access tokens use a Daml-specific scope to distinguish them from other access tokens issued by the same issuer for different systems or APIs. - All fields are optional in JSON for forward/backward compatibility reasons, where appropriate. - Extra JSON fields are ignored when reading. - Null values and missing JSON fields map to None or a safe default value (if there is one).

  4. object AuthServiceWildcard extends AuthService

    An AuthService that authorizes all calls by always returning a wildcard ClaimSet.Claims

  5. object AuthorizationError
  6. object CachedJwtVerifierLoader
  7. case object ClaimActAsAnyParty extends Claim with Product with Serializable

    Authorized to act as any party, including: - Reading all data for all parties - Creating contract on behalf of any party - Exercising choices on behalf of any party

  8. case object ClaimAdmin extends Claim with Product with Serializable

    Authorized to use all admin services.

    Authorized to use all admin services. Does not authorize to use non-admin services.

  9. case object ClaimIdentityProviderAdmin extends Claim with Product with Serializable

    Authorized to use admin services for the configured identity provider.

    Authorized to use admin services for the configured identity provider. Does not authorize to use non-admin services.

  10. case object ClaimPublic extends Claim with Product with Serializable

    Authorized to use all "public" services, i.e., those that do not require admin rights and do not depend on any Daml party.

    Authorized to use all "public" services, i.e., those that do not require admin rights and do not depend on any Daml party. Examples include the LedgerIdentityService or the PackageService.

  11. object ClaimSet
  12. object Main
  13. object StandardJWTTokenFormat

Ungrouped