topic Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup in Integration, Extension & APIs

Qlik Sense SaaS - Generating an api-key in an authenticated mashup

1emerson — Mon, 31 Jan 2022 15:27:41 GMT

Is it possible to generate an api-key for my user from within an authenticated mashup?

I have a mashup that has been authenticated successfully according to the instructions here.

The mashup is able to make subsequent calls to query the api-keys endpoint in order to determine whether the current user has an api-key. Therefore I am certain I have configured and connected to my tenant from within the mashup.

The sticky point is when the code attempts to create a new api-key

fetch("https://"+config.host+"/api/v1/api-keys", { method: 'POST', mode:'cors', credentials: 'include', headers: { 'Content-Type': 'application/json', 'qlik-web-integration-id': config.webIntegrationId, 'qlik-csrf-token': csrfToken }, body : JSON.stringify({ "description": 'my-generated-key', "subType": "user", "sub": <my user id> }) })

This results in a 403 forbidden response.

If the user already has a known api-key, then I'm able to generate new ones by passing the Authorization header as described in the REST documentation. However, the use case dictates that the user may not already have a known api-key.

Thanks in advance!

Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup

Akshesh_Patel — Tue, 08 Feb 2022 20:49:10 GMT

Hi,

Try this JS :

var config = {
    host: 'yourtenant.eu.qlikcloud.com',
    prefix: '/',
    port: 443,
    isSecure: true,
    webIntegrationId: '0pEp-l03lPxDawQxhOSWjKqO_Ckw1WYn'
};

//Redirect to login if user is not logged in
async function login() {
      function isLoggedIn() {
        return fetch("https://"+config.host+"/api/v1/users/me", {
          method: 'GET',
          mode: 'cors',
          credentials: 'include',
          headers: {
            'Content-Type': 'application/json',
            'qlik-web-integration-id': config.webIntegrationId,
          },
        }).then(response => {
          return response.status === 200;
        });
      }
      return isLoggedIn().then(loggedIn => {
        if (!loggedIn) {	  
            window.location.href = "https://"+config.host+"/login?qlik-web-integration-id=" + config.webIntegrationId + "&returnto=" + location.href;
            throw new Error('not logged in');
        }
      });
    }
login().then(() => {
    require.config( {
    baseUrl: ( config.isSecure ? "https://" : "http://" ) + config.host + (config.port ? ":" + config.port : "") + config.prefix + "resources",
    webIntegrationId: config.webIntegrationId
} );			

require( ["js/qlik"], function ( qlik ) {
	qlik.on( "error", function ( error ) {
		$( '#popupText' ).append( error.message + "<br>" );
		$( '#popup' ).fadeIn( 1000 );
	} );
	$( "#closePopup" ).click( function () {
		$( '#popup' ).hide();
	} );
    //open apps -- inserted here --
	var app = qlik.openApp( '8120d03d-3902-4f4e-b0f1-3fee539227ad', config );
	
    //get objects -- inserted here --
	app.visualization.get('DKnjQAk').then(function(vis){
    vis.show("QV01");	
	} );
    
} );});

Credit full reference link : https://community.qlik.com/t5/Knowledge/How-to-create-a-mashup-in-Qlik-Sense-Enterprise-on-SaaS/ta-p/1767294

Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup

1emerson — Tue, 08 Feb 2022 21:53:09 GMT

Thanks for the attention. However, I don't see the example described in your reply invoking the create API key REST endpoint. Create API Key

This looks like it opens an App and pulls some content back to the html page.

The crux of my problem is being able to create a new api key from a mashup which has been authenticated to Qlik SaaS

I appreciate the reply,

Dan

Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup

Akshesh_Patel — Tue, 08 Feb 2022 21:57:25 GMT

Hi,

Thanks, what I am thinking is that to generate or delete API keys, you must have the role of developer. Does the user have at least a developer role and professional license assigned in SaaS?

Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup

1emerson — Tue, 08 Feb 2022 22:08:33 GMT

Yes, the user has the role of Developer and is designated as "Professional".

I'm able to create new keys for this user with the REST API (by passing the Authorization header with an existing api key). So I am pretty sure that the entitlements are correct.

Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup

Akshesh_Patel — Wed, 09 Feb 2022 03:01:32 GMT

did you check in the developer tool and see if any CSPs are blocking the request and try adding that to SaaS?

Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup

1emerson — Wed, 09 Feb 2022 16:19:17 GMT

I guess I'm not connecting the dots with the Content Security Policy recommendation as to how that might help. My mashup is able to invoke other REST API requests. For example, I can successfully describe an exiting API key (using the GET /api-keys/{id}) after the mashup is authenticated. Therefore the Content Security Policy is allowing requests, just not the specific create API key request mentioned above.

Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup

Damien_V — Thu, 10 Feb 2022 07:32:23 GMT

Hello @1emerson

I have checked internally with our R&D and this is a product limitation.

"Admin" and "Developer" roles are stripped off the request when running in CORS mode and as generating an API key requires the "Developer" role then it's not possible to perform that action in a mashup.

Hope that helps.

Re: Qlik Sense SaaS - Generating an api-key in an authenticated mashup

1emerson — Fri, 11 Feb 2022 19:09:27 GMT

I sort of suspected as much. The documentation was pretty clear here regarding disallowing operations involving TenantAdmin role within a web integration. It also does state what you wrote about running as a "regular user".

Thanks for confirming that Developer operations are also restricted to using API Keys.

Kind Regards,