Fixing Canton Validator OAuth2 Authentication Errors

Onboarding a Canton validator to devnet, testnet, or mainnet can be challenging. One error that kept me stuck was integrating OAuth2 with the Canton node—specifically, the missing access_token error.

Background

Canton is a privacy-enabled blockchain network. Unlike public blockchains, only authorized parties can read ledger data. To interact with Canton, you deploy a participant node and a validator node.

The issue I hit was the validator failing to authenticate with this error:

The Problem

OAuth2 requires a bearer token in request headers. How you get that token is up to you. We use Okta as our identity provider with client_credentials grant type for machine-to-machine auth.

First, verify you can get a token from your OAuth provider:

Get these values from your Okta admin. You should see a response like:

The Fix

1. Extract the Sub Field

The JWT contains a sub (subject) claim that identifies the client. Canton needs this for authentication. Decode the token:

You'll see something like:

Use the sub value in your validator's Kubernetes configuration:

2. Add Default Scope

This was the missing piece. Canton's OAuth client needs the scope explicitly configured:

Here's the full configuration in context:

3. Grant User Rights

After the validator is onboarded, grant it ledger access rights via the Canton Ledger API:

POST /v2/users/<SUB_FIELD>/rights

Request body: