feat: Add Auth0 authentication support as alternative to Keycloak#19
Open
jasonchen-eng wants to merge 1 commit into
Open
feat: Add Auth0 authentication support as alternative to Keycloak#19jasonchen-eng wants to merge 1 commit into
jasonchen-eng wants to merge 1 commit into
Conversation
This adds Auth0 client credentials authentication as an alternative to Keycloak for Canton network access. Changes: - Add auth0 module (crates/cbtc/src/auth0.rs) with client credentials flow - Add 9 Auth0-based example programs (*_auth0.rs) demonstrating usage - Update Cargo.toml to include reqwest dependency for Auth0 HTTP calls - Add Auth0 configuration variables to .env.example The Auth0 module provides: - Client credentials OAuth 2.0 flow - JWT token parsing for user ID and custom claims - Full documentation and usage examples All existing Keycloak-based examples remain unchanged. Auth0 examples are provided as separate files with _auth0.rs suffix for easy comparison.
gyorgybalazsi
added a commit
that referenced
this pull request
May 19, 2026
Replaces the temporary branch refs (`branch = "chore/bump-canton-api-client-3.6.0"`) on `ledger`/`keycloak`/`registry`/ `common` with `tag = "v0.6.0"`. canton-lib v0.6.0 (DLC-link/canton-lib#20) contains the 3.6.0 bump (#18) plus the keycloak Quarkus token-URL helpers (#19); the upstream PR branch was deleted on merge, so the previous refs no longer resolve. Cargo.lock updated by `cargo update -p ledger -p keycloak -p registry -p common`. `cargo check` clean. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
schronck
pushed a commit
that referenced
this pull request
May 19, 2026
* chore: bump canton-api-client to 3.6.0-0.1.0 Note: this PR also requires a new canton-lib tag containing the same canton-api-client bump in its `common` crate. Blocked on DLC-link/canton-lib#18 and the follow-up release. * chore: adapt to canton-api-client 3.6.0 spec changes Adapts cbtc-lib to the spec deltas introduced in Canton 3.6.0 — many previously required fields are now optional, `create_argument` is no longer double-wrapped (`Option<Option<Value>>` → `Option<Value>`), `transaction.events` and `package_ids` are now required (no longer `Option<Vec>`), `created_event_blob` is now `Option<String>`, `CreatedEvent` gained required `representativePackageId`/`acsDelta` fields, and `ExercisedEvent` gained `acsDelta`. Mechanical changes: - accept/cancel_offers/utils/list_incoming_offers/list_outgoing_offers: drop the outer `Some(...)` from `if let Some(Some(create_arg)) = ...` patterns on `create_argument`. - credentials/mint_redeem/models: drop the `.and_then(|opt| opt.as_ref())` middle step from the `create_argument.as_ref().and_then(...).and_then(|v| v.as_object())` chains used to read the create-argument map. - credentials/mint_redeem/models: `created_event.created_event_blob` is now `Option<String>`; `unwrap_or_default()` to preserve the existing `String` surface on the local types. - consolidate/split/transfer/mint_redeem/credentials parsers: `transaction.events` is no longer `Option<Vec<Event>>`; drop the `.as_ref().ok_or("Failed to find events")?` indirection and iterate the Vec directly. - consolidate/split/transfer parsers: `ExercisedEvent.exercise_result` is `Option<Option<Value>>` in 3.6 — match `Some(Some(result))` rather than the single-layer pattern that used to compile against 3.3. - dar_check: `ListPackagesResponse.package_ids` is now a plain `Vec<String>`; drop the `.ok_or_else(...)` that handled the previous optional wrapping. - utils test fixtures: include the new required `representativePackageId`/`acsDelta` fields on `CreatedEvent`, `acsDelta` on `ExercisedEvent`, and always emit `events: []` (rather than omitting the field) since `JsTransaction.events` is required. - parser unit tests for the "missing events" case: update assertions to the new error messages each parser returns when given an empty events list (the old "Failed to find events" branch no longer exists, since the typed model guarantees events is present). NOTE: this commit temporarily points the four canton-lib deps at the `chore/bump-canton-api-client-3.6.0` branch so the workspace can resolve end-to-end against the matching canton-api-client 3.6.0 bump there. The maintainer should swap these back to a real v0.6.0 tag before merging. * fix(integration_test): filter holdings to CBTC before splitting The step 20 split called `holdings.first()` on the result of `list_holdings`, which returns every Holding-template contract owned by the party. On devnet the sender's account holds legacy `CBTCV0RC8` instrument holdings alongside `CBTC`, so `.first()` could pick a non-CBTC holding. The split request then asserted `instrument_id = "CBTC"`, and the registry correctly rejected the mismatch with 400 "Given holdings are invalid". Filter to `instrument_id == "CBTC"` before picking, matching the pattern already used by `submit_withdraw` in `mint_redeem::redeem`. Verified end-to-end on devnet: 20/20 integration_test steps pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore: pin canton-lib deps to v0.6.0 tag Replaces the temporary branch refs (`branch = "chore/bump-canton-api-client-3.6.0"`) on `ledger`/`keycloak`/`registry`/ `common` with `tag = "v0.6.0"`. canton-lib v0.6.0 (DLC-link/canton-lib#20) contains the 3.6.0 bump (#18) plus the keycloak Quarkus token-URL helpers (#19); the upstream PR branch was deleted on merge, so the previous refs no longer resolve. Cargo.lock updated by `cargo update -p ledger -p keycloak -p registry -p common`. `cargo check` clean. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore: bump cbtc version to 0.6.0 Aligns cbtc-lib's crate version with the canton-lib v0.6.0 release this PR depends on. Skips 0.5.x — the version jump reflects the canton-api-client 3.6.0 wire bump pulled in transitively (breaking change in dependency behavior, see CHANGELOG of canton-lib v0.6.0 for the `ledger_end::get` error-path change). cbtc-lib's public API is unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: gyorgybalazsi <gyorgy.balazsi@gmail.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds Auth0 client credentials authentication as an alternative to Keycloak for Canton network access.
Changes:
The Auth0 module provides:
All existing Keycloak-based examples remain unchanged. Auth0 examples are provided as separate files with _auth0.rs suffix for easy comparison.