Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
We are trying to login our html mashup to Qlik Cloud using JWT auth.
We have already setup the JWT identity provider in the Qlik management console.
The JWT token is created using a php library and send for authorisation using the following code:
var config = {
host: 'qwxxxxxxxxxxxxxx.eu.qlikcloud.com',
prefix: '/',
port: 443,
isSecure: true,
webIntegrationId: 'xxxxxxxxxx', // from qlik management console
jwt: "eyJhb....UA", //token created using the php library
};
async function login() {
function isLoggedIn() {
console.log("checking logged in");
return fetch("https://" + config.host + "/api/v1/users/me", {
method: 'GET',
mode: 'cors',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
'qlik-web-integration-id': config.webIntegrationId
},
}).then((response) => {
return (response.status === 200);
});
}
return isLoggedIn().then((loggedIn) => {
if (!loggedIn) {
console.log("not logged in");
return fetch("https://" + config.host + "/login/jwt-session", {
method: 'POST',
mode: 'cors',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
'qlik-web-integration-id': config.webIntegrationId,
'Authorization': 'Bearer ' + config.jwt,
},
}).then((response) => {
if (response.status !== 200) {
console.log("failed logged in");
throw new Error('failed to login via jwt');
}
});
} else {
console.log("already logged in");
}
});
}
The response we get from the request is the following:
{
"errors": [
{
"title": "Authentication failed",
"detail": "No identity-provider is able to complete the exchange",
"code": "LOGIN-1",
"status": "401"
}
],
"traceId": "9cf4f041f5b6aa685eca85cce00075c3"
}
The JWT token is valid and properly decoded. We tested it by removing the "nbf" from the payload and the response mentioned that the nbf was missing.
Any thoughts what can be the problem?
Thanks in advance
The only suspicious thing I see is that you are missing "kid" (keyid) in the JWT header, my header looks like this:
{
"typ": "JWT",
"alg": "RS256",
"kid": "c4xxxxxxxxxxx72"
}
Hi @pdimitrakis
Can you share the exact content (structure) of your JWT token?
You can use the debugger on jwt.io to get it.
Please mask any sensitive information.
Hi @Damien_Villaret ,
JWT header
{
"typ": "JWT",
"alg": "RS256",
"jti": "67xxxxxxxxxxx6f",
"issuer": "qwxxxxxxxxx.eu.qlikcloud.com",
"iss": "qwxxxxxxxxx.eu.qlikcloud.com"
}
JWT payload
{
"jti": "67xxxxxxxxxxxxxxxxxxxxxxxxx6f",
"iss": "qwxxxxxxxxxxx.eu.qlikcloud.com",
"aud": "qlik.api/login/jwt-session",
"sub": "64xxxxxxxxxxc",
"subType": "user",
"iat": 1711529073,
"nbf": 1711529073,
"exp": 1711532673,
"userId": "64xxxxxxxxxxc",
"name": "Panagiotis Dimitrakis",
"email": "xxxxxxxxxx",
"email_verified": true,
"roles": [
"RootAdmin"
]
}
Some information is duplicate as the names of the payload fields were found different is other responses regarding the payload.
The only suspicious thing I see is that you are missing "kid" (keyid) in the JWT header, my header looks like this:
{
"typ": "JWT",
"alg": "RS256",
"kid": "c4xxxxxxxxxxx72"
}
You were right @Damien_Villaret
Thanks a lot.
Just for the reference, after the login worked I tried cleaning the JWT token headers and payload and the minimum working set is:
headers
{
"typ": "JWT",
"alg": "RS256",
"kid": "2xxxxxxxxb"
}
payload
{
"jti": 1711610797, //random unique, i.e timestamp
"iss": "qxxxxxxxxxx8.eu.qlikcloud.com",
"aud": "qlik.api/login/jwt-session",
"sub": "6xxxxxxxxxxxxxxc", //the user id
"subType": "user",
"iat": 1711610797,
"nbf": 1711610797,
"exp": 1711614397,
"name": "John Doe",
"email": "xxxxxxxx@xxxxxxxx.com",
"email_verified": true
}