digital-asset/daml
1
1
Fork 0
mirror of https://github.com/digital-asset/daml.git synced 2024-09-20 01:07:18 +03:00
Code Issues Projects Releases Wiki Activity

Document audience-based token format (#14516)

Browse Source 
* Document audience-based token format

changelog_begin
changelog_end

* Update docs/source/app-dev/authorization.rst

Co-authored-by: Sergey Kisel <98825453+skisel-da@users.noreply.github.com>

* Update docs/source/app-dev/authorization.rst

Co-authored-by: Sergey Kisel <98825453+skisel-da@users.noreply.github.com>
This commit is contained in:
Moritz Kiefer 2022-07-26 09:03:16 +02:00 committed by GitHub
parent 942a4d025a
commit 93d9b767fd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
docs/source/app-dev/authorization.rst
View File

@ -157,14 +157,42 @@ the participant user management service *without* issuing new access tokens,
as would be required for the custom Daml claims tokens.
User access tokens are `JWTs <https://datatracker.ietf.org/doc/html/rfc7519>`_ that follow the
`OAuth 2.0 standard <https://datatracker.ietf.org/doc/html/rfc6749>`_ with a JSON payload of the following format.
`OAuth 2.0 standard <https://datatracker.ietf.org/doc/html/rfc6749>`_. There are two
different JSON encodings: An audience-based token format that relies
on the audience field to specify that it is designated for a specific
Daml participant and a scope-based audience token format which relies on the
scope field to designate the purpose. Both formats can be used interchangeably but
if possible, use of the audience-based token format is recommend as it
is compatible with a wider range of IAMs, e.g., Kubernetes does not
support setting the scope field and makes the participant id mandatory
which prevents misuse of a token on a different participant.
Audience-Based Tokens
---------------------
.. code-block:: json
{
"aud": "https://daml.com/jwt/aud/participant/someParticipantId",
"sub": "someUserId",
"exp": 1300819380
}
To interpret the above notation:
- ``aud`` is a required field which restricts the token to participant nodes with the given ID (e.g. ``someParticipantId``)
- ``sub`` is a required field which specifies the participant user's ID
- ``exp`` is an optional field which specifies the JWT expiration date (in seconds since EPOCH)
Scope-Based Tokens
------------------
.. code-block:: json
{
"aud": "someParticipantId",
"sub": "someUserId",
"exp": 1300819380
"exp": 1300819380,
"scope": "daml_ledger_api"
}