package auth
- Alphabetic
- Public
- All
Type Members
-
trait
AuthService extends AnyRef
An interface for authorizing the ledger API access to a participant.
An interface for authorizing the ledger API access to a participant.
The AuthService is responsible for converting request metadata (such as the HTTP headers) into a ClaimSet. These claims are then used by the ledger API server to check whether the request is authorized.
- The authorization information MUST be specified in the
Authorizationheader. - The value of theAuthorizationheader MUST start withBearer(notice the trailing space of the prefix). - An AuthService implementation MAY use other headers when converting metadata to claims.For example, a participant could: - Ask all ledger API users to attach an
Authorizationheader with a JWT token as the header value. - ImplementdecodeMetadata()such that it reads the JWT token from the corresponding HTTP header, validates the token, and converts the token payload to ClaimSet. -
class
AuthServiceJWT extends AuthService
An AuthService that reads a JWT token from a
Authorization: BearerHTTP header.An AuthService that reads a JWT token from a
Authorization: BearerHTTP header. The token is expected to use the format as defined in AuthServiceJWTPayload: -
case class
AuthServiceJWTPayload(ledgerId: Option[String], participantId: Option[String], applicationId: Option[String], exp: Option[Instant], admin: Boolean, actAs: List[String], readAs: List[String]) extends Product with Serializable
The JWT token payload used in AuthServiceJWT
The JWT token payload used in AuthServiceJWT
- ledgerId
If set, the token is only valid for the given ledger ID. May also be used to fill in missing ledger ID fields in ledger API requests.
- participantId
If set, the token is only valid for the given participant ID. May also be used to fill in missing participant ID fields in ledger API requests.
- applicationId
If set, the token is only valid for the given application ID. May also be used to fill in missing application ID fields in ledger API requests.
- exp
If set, the token is only valid before the given instant. Note: This is a registered claim in JWT
- admin
Whether the token bearer is authorized to use admin endpoints of the ledger API.
- actAs
List of parties the token bearer can act as. May also be used to fill in missing party fields in ledger API requests (e.g., submitter).
- readAs
List of parties the token bearer can read data for. May also be used to fill in missing party fields in ledger API requests (e.g., transaction filter).
-
final
class
AuthServiceStatic extends AuthService
An AuthService that matches the value of the
AuthorizationHTTP header against a static map of header values to ClaimSet.Claims.An AuthService that matches the value of the
AuthorizationHTTP header against a static map of header values to ClaimSet.Claims.Note: This AuthService is meant to be used for testing purposes only.
- sealed abstract class AuthorizationError extends AnyRef
-
final
class
Authorizer extends AnyRef
A simple helper that allows services to use authorization claims that have been stored by AuthorizationInterceptor.
-
sealed abstract
class
Claim extends AnyRef
A claim is a single statement about what an authenticated user can do with the ledger API.
A claim is a single statement about what an authenticated user can do with the ledger API.
Note: this ADT is expected to evolve in the future by adding new cases for more fine grained claims. The existing cases should be treated as immutable in order to guarantee backwards compatibility for AuthService implementations.
-
final
case class
ClaimActAsParty(name: Party) extends Claim with Product with Serializable
Authorized to act as the given party, including: - Reading all data for the given party - Creating contracts on behalf of the given party - Exercising choices on behalf of the given party
-
final
case class
ClaimReadAsParty(name: Party) extends Claim with Product with Serializable
Authorized to read all data for the given party.
Authorized to read all data for the given party.
Does NOT authorize to issue commands.
- sealed trait ClaimSet extends AnyRef
Value Members
- object AuthServiceJWT
-
object
AuthServiceJWTCodec
Codec for writing and reading AuthServiceJWTPayload to and from JSON.
Codec for writing and reading AuthServiceJWTPayload to and from JSON.
In general: - All custom claims are placed in a namespace field according to the OpenID Connect standard. - All fields are optional in JSON for forward/backward compatibility reasons. - Extra JSON fields are ignored when reading. - Null values and missing JSON fields map to None or a safe default value (if there is one).
Example:
{ "https://daml.com/ledger-api": { "ledgerId": "aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "participantId": null, "applicationId": null, "admin": true, "actAs": ["Alice"], "readAs": ["Alice", "Bob"] }, "exp": 1300819380 } -
object
AuthServiceNone extends AuthService
An AuthService that rejects all calls by always returning the ClaimSet.Unauthenticated
- object AuthServiceStatic
-
object
AuthServiceWildcard extends AuthService
An AuthService that authorizes all calls by always returning a wildcard ClaimSet.Claims
- object AuthorizationError
-
object
ClaimActAsAnyParty extends Claim with Product with Serializable
Authorized to act as any party, including: - Reading all data for all parties - Creating contract on behalf of any party - Exercising choices on behalf of any party
-
object
ClaimAdmin extends Claim with Product with Serializable
Authorized to use all admin services.
Authorized to use all admin services. Does not authorize to use non-admin services.
-
object
ClaimPublic extends Claim with Product with Serializable
Authorized to use all "public" services, i.e., those that do not require admin rights and do not depend on any Daml party.
Authorized to use all "public" services, i.e., those that do not require admin rights and do not depend on any Daml party. Examples include the LedgerIdentityService or the PackageService.
- object ClaimSet