topic Re: JWT authentication in mashup in Integration, Extension & APIs

JWT authentication in mashup

pdimitrakis — Wed, 27 Mar 2024 08:20:52 GMT

We are trying to login our html mashup to Qlik Cloud using JWT auth.

We have already setup the JWT identity provider in the Qlik management console.
The JWT token is created using a php library and send for authorisation using the following code:

The response we get from the request is the following:

{ "errors": [ { "title": "Authentication failed", "detail": "No identity-provider is able to complete the exchange", "code": "LOGIN-1", "status": "401" } ], "traceId": "9cf4f041f5b6aa685eca85cce00075c3" }

The JWT token is valid and properly decoded. We tested it by removing the "nbf" from the payload and the response mentioned that the nbf was missing.

Any thoughts what can be the problem?
Thanks in advance

Re: JWT authentication in mashup

Damien_V — Wed, 27 Mar 2024 08:30:23 GMT

Hi @pdimitrakis

Can you share the exact content (structure) of your JWT token?
You can use the debugger on jwt.io to get it.

Please mask any sensitive information.

Re: JWT authentication in mashup

pdimitrakis — Wed, 27 Mar 2024 08:49:31 GMT

Hi @Damien_V ,

JWT header { "typ": "JWT", "alg": "RS256", "jti": "67xxxxxxxxxxx6f", "issuer": "qwxxxxxxxxx.eu.qlikcloud.com", "iss": "qwxxxxxxxxx.eu.qlikcloud.com" }

JWT payload { "jti": "67xxxxxxxxxxxxxxxxxxxxxxxxx6f", "iss": "qwxxxxxxxxxxx.eu.qlikcloud.com", "aud": "qlik.api/login/jwt-session", "sub": "64xxxxxxxxxxc", "subType": "user", "iat": 1711529073, "nbf": 1711529073, "exp": 1711532673, "userId": "64xxxxxxxxxxc", "name": "Panagiotis Dimitrakis", "email": "xxxxxxxxxx", "email_verified": true, "roles": [ "RootAdmin" ] }

Some information is duplicate as the names of the payload fields were found different is other responses regarding the payload.

Re: JWT authentication in mashup

Damien_V — Wed, 27 Mar 2024 11:56:20 GMT

@pdimitrakis

The only suspicious thing I see is that you are missing "kid" (keyid) in the JWT header, my header looks like this:

{ "typ": "JWT", "alg": "RS256", "kid": "c4xxxxxxxxxxx72" }

Re: JWT authentication in mashup

pdimitrakis — Thu, 28 Mar 2024 10:20:45 GMT

You were right @Damien_V
Thanks a lot.

Just for the reference, after the login worked I tried cleaning the JWT token headers and payload and the minimum working set is:

headers { "typ": "JWT", "alg": "RS256", "kid": "2xxxxxxxxb" }

payload { "jti": 1711610797, //random unique, i.e timestamp "iss": "qxxxxxxxxxx8.eu.qlikcloud.com", "aud": "qlik.api/login/jwt-session", "sub": "6xxxxxxxxxxxxxxc", //the user id "subType": "user", "iat": 1711610797, "nbf": 1711610797, "exp": 1711614397, "name": "John Doe", "email": "xxxxxxxx@xxxxxxxx.com", "email_verified": true }