topic Re: JWT Authentication with Okta bearer token in Integration, Extension & APIs

JWT Authentication with Okta bearer token

frank_packer_at — Sat, 16 Nov 2024 03:49:36 GMT

Hi All,

I'm working on a project that integrates an Angular SPA with a MSSql db back-end and Qlik Sense (Nov 19). I'm using Okta for my IDP and have it set up as follows:

Okta sign-in widget on SPA login page. User logs in and following this my SPA communicates with my db APIs by sending a JWT Authorization bearer token that was generated by Okta on login. I've set up my db to validate the incoming token to provide access and set the db user. This validation is done remotely via Okta's provided method, and this is all working great.

My challenge is to now integrate Qlik with this ecosystem, and I believe that I should be able to set up a JWT virtual proxy to receive the same token that Okta generated. Okta does not provide a public key certificate in PEM format for me to use in setting up the virtual proxy, but they do provide a JWKS that looks like the following example:

{
"keys":[
{
"kty":"RSA",
"alg":"RS256",
"kid":"nxbkkwOi08tlMmhhQSbKEBkEcd3IhlhfRTzwHOXl1xc",
"use":"sig",
"e":"AQAB",
"n":"wCIBXVwe9nalkjTb4l2vfp5mDowaL2YoqIr71P0WxDpTIIRuITx7NqNijpOkQ_795YkWMZt8Z9LRRnyf-VA3EE2l9p64sqoCsAG_AJ07YFaPoohkxSq8tJ8nJ01XGco-OuTs3uviSMcZ0eQHC7RdaG7ARe-IglfBkKUfzLHuElO3kH3VanG7_Ageb1hl1DWhiHlqtCCaq9XZVeMbfpcLkU_doE9QThxEN9pZjff83X47qxSwNe9LPWurD-xQ5C0QonSO-VIdpGobEVKHlqu6AYX0H7VEk3H4SNjAr04EagHy6EGktBAMc081SPpMWWUeQuGrmqDPGECed_wBLkUMRQ"
}
]
}

I can convert this to a PEM certificate, however Qlik rejects it with the error message that the certificate is invalid.

I'm aware that there is an out-of-the-box method for integrating Qlik and Okta, however there is a specific reason for using JWT rather than SAML in this case.

Any help in setting up a virtual proxy to receive and validate the bearer token from Okta would be greatly appreciated!

Re: JWT Authentication with Okta bearer token

Harsh_Gohil — Mon, 16 Dec 2019 04:23:07 GMT

hi,

Yes because Qlik have their own certificates.

If you are using some opensource certificates it will gives you error.

Just use Qlik certificate and try.

Thanks Regards,

Harsh Gohil

Re: JWT Authentication with Okta bearer token

frank_packer_at — Mon, 16 Dec 2019 05:22:04 GMT

Thanks Harsh,

Thanks for the reply.

That's not going to work, unfortunately, because Okta will not use the private key provided by Qlik to generate the token. The token is generated by Okta, and the public key certificate is needed to validate it.

Re: JWT Authentication with Okta bearer token

Harsh_Gohil — Mon, 16 Dec 2019 08:48:50 GMT

hey,

Did you try this method?

https://help.qlik.com/en-US/sense/June2019/Subsystems/ManagementConsole/Content/Sense_QMC/SAML-configuration-okta.htm

try this steps if it will helps you 🙂

Re: JWT Authentication with Okta bearer token

frank_packer_at — Mon, 16 Dec 2019 22:22:04 GMT

Hi Harsh,

There's a requirement on this project to use JWT, rather than SAML, so I can't use that method.

Re: JWT Authentication with Okta bearer token

frank_packer_at — Tue, 17 Dec 2019 06:24:37 GMT

Update:

I've been in contact with Okta and can confirm that the certificate generated from the JWKS is valid. I've been able to test that the token and public key certificate are both valid by verifying them on jwt.io and can confirm that the algorithm is RS256, which is supported by Qlik.

Everything works great up to this point, however Qlik is still showing the 'Invalid Public Key Certificate' error when the certificate is entered in the virtual proxy configuration screen.

I can't see a reason for Qlik to be refusing to accept the certificate, since it can be confirmed as valid by jwt.io and will successfully decode and validate the payload of the bearer token.

Re: JWT Authentication with Okta bearer token

Harsh_Gohil — Tue, 17 Dec 2019 09:01:40 GMT

hello,

i dont have any idea but when i was trying to connect with qlik using nodejs that time i have to pass certificates also we have to add one header called certificate = NULL.

so try with your method put certificates = Null, if you have this type of option.

might work for you 🙂

Thanks

Re: JWT Authentication with Okta bearer token

rbpeterson2 — Wed, 28 Oct 2020 22:03:27 GMT

Hi @frank_packer_at - we are having the same issue with another Ident provider - were able to solve?

Re: JWT Authentication with Okta bearer token

jaclag — Tue, 10 Nov 2020 18:05:34 GMT

Hi all. I see that we have the same expectations about making Qlik work with JWT authentication. We made it so I'm sharing the solution, hoping it will help you.

The different examples that you can find on the web are using the Qlik server's certificate for signing the JWT. It's quite confusing ... You have to use the certificate provided by your IdP. You can get it from the discovery mechanism provided by OIDC protocol. Here are the steps :

- Open the discovery page of your IdP :

https://your.idp.server/.well-known/openid-configuration

- The response is a json. Look at the jwks_uri field, and go to this uri. In my case : https://your.idp.server/.well-known/openid-configuration/jwks but could be different for you).

- The response is another json describing the keys used for signing the JWT. The specification (JWK) is here : https://tools.ietf.org/html/rfc7517#section-4. It's the same content of what received @frank_packer_at at the top of this topic.

- The public certificate used to sign the JWT should be provided in the x5c attribute (for me, at least ...). Following the specification, it's a base_64 encoded DER binary file. From this string, you can create the file with some tools, for example on linux I'm doing this (some tools should be available in Windows, I'm not very familiar with the Windows console) :

echo 'MII...your...certificate...base64...string' | base64 -d > idp.der

- You can check that the certificate is ok :

openssl x509 -inform der -in idp.der -text -noout

- Then convert the DER binary file to a PEM format :

openssl x509 -inform der -in idp.der -out idp.pem

- Paste the content of this PEM file in the JWT Virtual Proxy configuration in Qlik, and it should work.

- To be able to check that everything is OK, you can extract the public key from the certificate and paste it on jwt.io to check the signature of your JWTs. For this, get the pub file and paste the content on jwt.io :

openssl x509 -pubkey -noout -in idp.pem > idp.pub

- After this, you have to configure the claims in which Qlik should read the userId and directoryId, and the value of the aud claim (Audience) that Qlik should check to allow the JWT. Once the user is authenticated by the proxy, you should provide him for a license. For this you can rely on the claims (attribute mapping in the Virtual Proxy) or on other attributes if you synchronize the directory with UDC (which is not mandatory, as Qlik creates the users in the directory when they authenticate).

- We made it work with a SPA transparent page hosted in a Qlik extension (like a mashup), using an oidc javascript client. What's next is to be able to redirect to this page when the session has ended, so we are working on this. If you have an option for this, please share 🙂

Hope this helps !

Bests

Julien