https://community.qlik.com/t5/Integration-Extension-APIs/Session-denied-because-of-JTI-Replay-Attack-Error/m-p/1865194#M15959 <P>Hello,</P> <P>My app connects to Qlik Sense via a virtual proxy that uses JWT to handle user authentication. Normally, I hit the virtual proxy with my JWT containing the user's information and then it returns a session cookie that gets stored with my browser and is used to authenticate all future requests. This works fine usually, but if a user closes out of the browser, the session cookie is deleted and the user has to reconnect via JWT authentication. The issue I have been running into a quite often lately is where my requests for authentication are getting denied by the virtual proxy with the following message being logged:</P> <P><EM>"Jwt authentication attempt treated as a replay as a non unique jti was presented. Request will not be authenticated."</EM></P> <P>A quick google search turns up this support article:&nbsp;<A href="https://support.qlik.com/articles/000092118" target="_blank">https://support.qlik.com/articles/000092118</A>. It says that the request is denied when a non-unique JTI is presented within a 5-minute time frame. That is completely understandable, but it also doesn't seem to be the case. I tried connecting with a JWT and was denied a session because of a JTI replay attack error. I then waiting 25 minutes and tried again, but I was STILL denied a session because of a JTI replay attack error.<BR /><BR />Is there something that I am missing? There doesn't seem to be a way to keep this error from occurring, or to change the time window. Is there a config file I can go to to disable it?</P> <P>What is weird is that I have gotten this to work before by waiting 5 minutes, but it doesn't work anymore. Does the JWT get put on a permanent blacklist after a certain number of attempts?</P> Tue, 30 Nov 2021 23:15:22 GMT dselgo_eidex 2021-11-30T23:15:22Z https://community.qlik.com/t5/Integration-Extension-APIs/Session-denied-because-of-JTI-Replay-Attack-Error/m-p/1865194#M15959 <P>Hello,</P> <P>My app connects to Qlik Sense via a virtual proxy that uses JWT to handle user authentication. Normally, I hit the virtual proxy with my JWT containing the user's information and then it returns a session cookie that gets stored with my browser and is used to authenticate all future requests. This works fine usually, but if a user closes out of the browser, the session cookie is deleted and the user has to reconnect via JWT authentication. The issue I have been running into a quite often lately is where my requests for authentication are getting denied by the virtual proxy with the following message being logged:</P> <P><EM>"Jwt authentication attempt treated as a replay as a non unique jti was presented. Request will not be authenticated."</EM></P> <P>A quick google search turns up this support article:&nbsp;<A href="https://support.qlik.com/articles/000092118" target="_blank">https://support.qlik.com/articles/000092118</A>. It says that the request is denied when a non-unique JTI is presented within a 5-minute time frame. That is completely understandable, but it also doesn't seem to be the case. I tried connecting with a JWT and was denied a session because of a JTI replay attack error. I then waiting 25 minutes and tried again, but I was STILL denied a session because of a JTI replay attack error.<BR /><BR />Is there something that I am missing? There doesn't seem to be a way to keep this error from occurring, or to change the time window. Is there a config file I can go to to disable it?</P> <P>What is weird is that I have gotten this to work before by waiting 5 minutes, but it doesn't work anymore. Does the JWT get put on a permanent blacklist after a certain number of attempts?</P> Tue, 30 Nov 2021 23:15:22 GMT https://community.qlik.com/t5/Integration-Extension-APIs/Session-denied-because-of-JTI-Replay-Attack-Error/m-p/1865194#M15959 dselgo_eidex 2021-11-30T23:15:22Z