topic Re: Unable to authorize using generated JWT token in Integration, Extension & APIs

Unable to authorize using generated JWT token

akhramovich — Sat, 04 Dec 2021 11:46:03 GMT

Hello

We are trying to use the JWT token to authorize users in our tenant. Unfortunately, we are constantly getting a "No identity-provider is able to complete the exchange" error message.

What we did:

1. We created a JWT Identity provider

2. We configured Content Security Policy

3. We added Web integration

4. We generated a JWT token for the previously created user

Payload

payload =

{
    'sub': 'AbVUmy-qm52KYnW3LLUMVj8XL9b_w_Xw',
    'subType': 'user',
    'name': 'Anton Akhramovich',
    'email': 'anton.akhramovich@leverx.com',
    'email_verified': True,
    'iat': datetime.now(tz=timezone.utc),
    'exp': datetime.now(tz=timezone.utc) + timedelta(hours=6),
    'iss': 'ipivg15a4pg4614.us.qlikcloud.com',
    'aud': 'qlik.api/login/jwt-session',
    'groups': ["Analytics Admin", "Data Admin", "Data Space Creator", "Developer", "Managed Space Creator",
               "Shared Space Creator", "Tenant Admin"],
}

Signing option

options = {
   "keyid": "a9e1e157-b9a1-40da-8926-d2d022ab25eb",
   "issuer": "ipivg15a4pg4614.us.qlikcloud.com",
   "expiresIn": "6h",
    "algorithm": "RS256",
   "audience": "qlik.api/login/jwt-session"
}

5. We tried to call /login/jwt-session API end-points with this token and web integration id.

Request example:

curl --request POST \
--url 'https://ipivg15a4pg4614.us.qlikcloud.com/login/jwt-session?qlik-web-integration-id=4X19wW0KeJFDF_cSYIsDLoeUPN98kuqG' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtleWlkIjoiNzM4MWVhMzItYTYyYi00MzE1LWE1NTAtNDE5NTA0NjkwMDhlIiwiaXNzdWVyIjoiaXBpdmcxNWE0cGc0NjE0LnVzLnFsaWtjbG91ZC5jb20iLCJleHBpcmVzSW4iOiI2aCIsImFsZ29yaXRobSI6IlJTMjU2IiwiYXVkaWVuY2UiOiJxbGlrLmFwaS9sb2dpbi9qd3Qtc2Vzc2lvbiJ9.eyJzdWIiOiJBYlZVbXktcW01MktZblczTExVTVZqOFhMOWJfd19YdyIsInN1YlR5cGUiOiJ1c2VyIiwibmFtZSI6IkFudG9uIEFraHJhbW92aWNoIiwiZW1haWwiOiJhbnRvbi5ha2hyYW1vdmljaEBsZXZlcnguY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImdyb3VwcyI6WyJBbmFseXRpY3MgQWRtaW4iLCJEYXRhIEFkbWluIiwiRGF0YSBTcGFjZSBDcmVhdG9yIiwiRGV2ZWxvcGVyIiwiTWFuYWdlZCBTcGFjZSBDcmVhdG9yIiwiU2hhcmVkIFNwYWNlIENyZWF0b3IiLCJUZW5hbnQgQWRtaW4iXX0.A_s2kfGijAkigtZ24hNpEj1npN5mtNVYsD36k08Xl3lDAhUXL-cwbVc-w9i_ito8JU0S4GTnb-I6mCUtibgT35LOfu7jIyguzuT-EQIuRsAlxd76Wnv9f4c9VQXhko-RPjXXT8RRENTVPwkkik1XyR57cmDtgcXq4bTIO2qp--nN1Vqczw8GPn8Z8YVqWlxnoPeOCUH8VpeqCm-zVt32YJOiQptSFg9dukuy18qfjtdu6voriepM0Y6TWfyYt8cgIEGXQ5ydNNA14lVzyCQNL1gzx9Y_7FhjRcCIlX4_cGpjhQbEa7GfkqL46SHhTZyXDVFHiNPJ3ZR-Zq6cIRjR5vVPfmsYY87HArZCRc_aE5PvQ7MM3zNLLW9wrzn-u52YQIR2uvwWEXW96NM8H_aPggI3yAK2oMXkEerZ1QMkd-nOKYgfdMql3wRSirEJCGmvIIX8sQKpFnERM7JzkGXH1pcTcbHFoAbldeC4EbTgFeK2pTxHGXN2TH1DFqZfFvPg7wnHpfJs83yZYL3w4AWwxFvZ-OF3yHr8BxZLHjTK2Mu7nSYTamR93QtZmZqrp5rszjNK_RmjgOfJdCNQlk53UJcRRhDnE8OkKLWqUXiWNDWcxP_mZGvexPI51PKpM5z1V4w5J-Wd7ETc0hguy3Cp-Q6GUvMOcTJa2-VSYvQjzsI' \
--header 'content-type: application/json' \
--header 'qlik-web-integration-id: 4X19wW0KeJFDF_cSYIsDLoeUPN98kuqG'

Response

{
"errors": [
{
"title": "Authentication failed",
"detail": "No identity-provider is able to complete the exchange",
"code": "LOGIN-1",
"status": "401"
}
],
"traceId": "0000000000000000575fdaa5ce50c86f"

}

I also attached the python script that is used to generate the JWT token

It will be great if you can support us to find out what we are doing wrong.

Re: Unable to authorize using generated JWT token

akhramovich — Tue, 07 Dec 2021 06:03:25 GMT

I also tried to do the same by manually generating the JWT token at jwt.io. Here are the parameters that I used:

But I still get the same error message ("No identity-provider is able to complete the exchange")

Re: Unable to authorize using generated JWT token

Damien_V — Fri, 10 Dec 2021 16:05:22 GMT

Hello @akhramovich

It looks your token has the wrong format, some parameters that should be in the payload are in the header, which is incorrect, please see how my token looks below:

Also some parameters have the wrong name (it should be "aud", "iss","exp" instead of "audience","issuer","expiresIn")

Not sure which programming language/library you have used to generate the token, usually node.js would convert those names to the correct parameter names.

Re: Unable to authorize using generated JWT token

muhammadraza — Mon, 07 Feb 2022 07:53:59 GMT

Hello @Damien_V ,

Tried to do the same but getting same error. No clue what is going wrong. See attached.

request
-------
https://company.eu.qlikcloud.com/login/jwt-session?qlik-web-integration-id=y8GEs6kcxVdVC9I3I0Aimq4FZZb-f5HQ&_ga=2.16715574.166217437.1644210376-244659920.1601789245

Header
------
Authorization Bearer generated_token

Result
------
{"errors":[{"title":"Unauthorized","code":"AUTH-1","status":"401"}],"traceId":"0000000000000000d2fbc7fc488769df"}

jwt.io token generation

Regards,

Raza

Re: Unable to authorize using generated JWT token

muhammadraza — Mon, 07 Feb 2022 08:24:42 GMT

I got it. The problem was in the iss. It is not the tenant URL but the issuer FQDN of the certificate.