403/XSRF when calling QPS API (iframe mashup code using python inside ;-)

virilo_tejedor — Fri, 14 Jul 2023 08:09:40 GMT

I'm trying to use QPS API to get a ticket for to be used in a Flask web server by using a mashup iframe.

When I run the attached code:

- It doesn't return me any ticket, it returns a 403 error instead due to XSRF

- It offers me a login form despite the wrong ticket (virtual proxy configured to use form authentication)

- Once I log in the iframe, it shows the mashup correctly

My setup:

- Qlik Sense Server Enterprise 2022

- Virtual proxy: ( mostly from this video )

- Annonymous access mode: no

- Authentication method: Ticket

- Windows authentication pattern: forms

- has secure attribute (https): checked

- SameSite attribute (https): None

- Hosts white list: empty (using just one QS server)

- I created cert/key/root files exported from the QMC/Certificates (weird, because once it were exported I stopped watching them listed at QMC/Certificates)

- Certificates were converted to .pem using openssl. "client.pem" file contains both: a private key and a certificate

- Engine\Settings.ini configured with:

EnableTTL=1

SessionTTL=30

(and extra CR-LF line)

Why am I receiving this 403 error? How could I solve it?

Why is it still possible to use the mashup whithout any proper ticket?

What is the TargetId parameter used for? I can see it on this node.js example, but I can't see it is being used in the Powershell example.

The output log:

InsecureRequestWarning: Unverified HTTPS request is being made to host 'analytics.mycompany.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings InsecureRequestWarning, 127.0.0.1 - - [13/Jul/2023 11:00:28] "GET / HTTP/1.1" 200 - QPS_API_URL https://analytics.mycompany.com:4243/qps/testmashup/ticket?xrfkey=123456789abcdef ticket: XSRF prevention check failed. Possible XSRF discovered. response: <Response [403]> response.reason: Forbidden

The python code:

from flask import Flask, render_template_string import requests app = Flask(__name__) QLIK_SENSE_SERVER_DOMAIN='analytics.mycompany.com' USER_DIRECTORY = 'MYCOMPANYAD' USER_ID = 'myuser' # Root Admin user XRF_KEY = '123456789abcdefg' # You can change this PROXY_PREFIX = 'testmashup' # Your virtual proxy prefix QPS_API_URL = f"https://{QLIK_SENSE_SERVER_DOMAIN}:4243/qps/{PROXY_PREFIX}/ticket?xrfkey={XRF_KEY}" QPS_HEADERS = { 'content-type': 'application/json', 'X-Qlik-xrfkey': XRF_KEY, 'X-Qlik-user': f'UserDirectory={USER_DIRECTORY};UserId={USER_ID}' } assert len(XRF_KEY)==16, f'''XRF_KEY ERROR. XRF_KEY={XRF_KEY} len={len(XRF_KEY)} XRF_KEY must be alphanumeric and 16 characters length. See https://community.qlik.com/t5/Integration-Extension-APIs/403-XSRF-when-calling-QPS-API-iframe-mashup-code-using-python/m-p/2093779/highlight/true#M18855 ''' MASHUP_URL = f"https://{QLIK_SENSE_SERVER_DOMAIN}/{PROXY_PREFIX}/extensions/TestMashup/TestMashup.html" @app.route('/') def serve_page(): ticket = get_ticket(USER_DIRECTORY, USER_ID) iframe_src=f"{MASHUP_URL}?QlikTicket={ticket}" html = f"""<!DOCTYPE html> <html style="height: 100%;"> <body> <iframe src="{iframe_src}" frameborder="0" scrolling="yes" seamless="seamless" style="display:block; width:100%; height:100vh;"></iframe> </html>""" return render_template_string(html) def get_ticket(user_directory, user_id): payload = { "UserDirectory": user_directory, "UserId": user_id, "Attributes": [] # "TargetId": targetId, # what is actually this targetId ??? } response = requests.post(QPS_API_URL, headers=QPS_HEADERS, json=payload, \ cert=(r'client.pem', \ r'client.pem'), \ verify=False) # response.raise_for_status() # Raises stored HTTPError, if one occurred. ticket = response.text print("QPS_API_URL", QPS_API_URL) print("ticket: ", ticket) print("response: ", response) print("response.reason: ", response.reason) return ticket if __name__ == "__main__": app.run(port=8080)

Re: 403/XSRF when calling QPS API (iframe mashup code using python inside ;-)

Damien_V — Fri, 14 Jul 2023 06:57:57 GMT

Hello @virilo_tejedor

Why am I receiving this 403 error? How could I solve it?

> your XRF key is 15 characters, it needs to be an alphanumeric string that is exactly 16 characters

Why is it still possible to use the mashup whithout any proper ticket?

> It shouldn't be possible unless you already have an active cookie for that virtual proxy in your browser, did you try to clear cache/cookies from the browser and test?

What is the TargetId parameter used for?

> Qlik Sense will remember what URL you tried to access before getting redirected to the authentication module and store it in memory as an ID, the mapping between the actual URL and the ID is stored in the Qlik Proxy service memory and cannot be seen directly.

Re: 403/XSRF when calling QPS API (iframe mashup code using python inside ;-)

virilo_tejedor — Fri, 14 Jul 2023 08:14:39 GMT

Yes, I changed the XRF_KEY to be 16 character length and it worked like a charm.

I marked your answer as the solution, and modified the code with an assertion, so other people will be able to reuse this code without stumbling with the same issue.

BTW, I checked also that after cleaning qliksense cookies, it doesn't show the mashup. It shows an squared icon (with an X inside) instead.

Thanks a lot @Damien_V for your help, and for the clarification regarding the TargetId parameter.

topic Re: 403/XSRF when calling QPS API (iframe mashup code using python inside ;-) in Integration, Extension & APIs

403/XSRF when calling QPS API (iframe mashup code using python inside ;-)

Re: 403/XSRF when calling QPS API (iframe mashup code using python inside ;-)

Re: 403/XSRF when calling QPS API (iframe mashup code using python inside ;-)