topic Re: JWT 401 unauthorized in Integration, Extension & APIs

JWT 401 unauthorized

LorisLombardo87 — Thu, 09 May 2024 11:06:53 GMT

Hi all,

i'm trying to login to qlik using a JWT token but when i try to post to https://horsadev.eu.qlikcloud.com/login/jwt-session with the the web integration id and the bearer token i get the following error.

the token is made up like this:

user details: name sub and email are the exactly like the console.

any idea of what can go wrong here?

thanks,

Loris

Re: JWT 401 unauthorized

mpc — Thu, 09 May 2024 11:17:01 GMT

Hi,

Can you check if the token isn't expired yet ?

Kind regard

Re: JWT 401 unauthorized

LorisLombardo87 — Thu, 09 May 2024 12:19:21 GMT

thanks for the suggestion Mpc

the token is created with jsonwebtoken I've tried various configurations of expiresIn from 30s to 60m and it is anyway consumed just after its creation, always the same result unfortunately.

Loris

Re: JWT 401 unauthorized

mpc — Thu, 09 May 2024 12:27:53 GMT

Ok, I assume you've followed this guide: https://community.qlik.com/t5/Member-Articles/Enhanced-Guide-Embedding-Qlik-Cloud-Content-with-JWT/ta-p/2110735

Re: JWT 401 unauthorized

LorisLombardo87 — Thu, 09 May 2024 12:37:05 GMT

no i haven't, there are so many qlik guides on this topic on line 😅...

the interesting bits on that guide though is the mention of the sub field, I've used the one that I can get clicking on the i icon in the users list.

is it the same as the one I can get with https://yourcloudtenant/api/v1/users/me ?

in general what should this sub field (claim) be?

Re: JWT 401 unauthorized

mpc — Thu, 09 May 2024 12:49:50 GMT

You should use the one provided by the URL its return. It's not the one you cand find on the (i) icon in the QMC.
Moreover, in the final script, you will use ttps://yourcloudtenant/api/v1/users/me to affect the right sub to the user who attempt to log in.

Re: JWT 401 unauthorized

LorisLombardo87 — Thu, 09 May 2024 13:10:54 GMT

just to be 100% clear shall I use the one highlighted in red here ?

Re: JWT 401 unauthorized

mpc — Thu, 09 May 2024 13:20:32 GMT

Yes, it's not the good one, you shoud use the Qlik one beggining by 6 in your screnshot

Re: JWT 401 unauthorized

LorisLombardo87 — Fri, 10 May 2024 08:17:13 GMT

I think the issue might be somewhere else, the error message doesn't change if I add one or the other.

if i look at that guide i cannot see any other suspect element...

any other suggestion ?

Re: JWT 401 unauthorized

alex_colombo — Fri, 10 May 2024 14:12:03 GMT

Hey @LorisLombardo87 , token seems to be correct. I'm sharing how I create it with jsonwebtoken.

Can you post your JWT IdP configuration set in Management Console and you HTTP request?

Re: JWT 401 unauthorized

LorisLombardo87 — Fri, 10 May 2024 15:36:03 GMT

Hi Alex, Sure!

the http request is as follow:

async jwtLogin(token: string) { const authHeader = `Bearer ${token}`; return await fetch(`https://${environment.QlikTenant}/login/jwt-session?qlik-web-integration-id=${environment.webIntegrationID}`, { credentials: 'include', mode: 'cors', method: 'POST', headers: { 'Authorization': authHeader, 'qlik-web-integration-id': environment.webIntegrationID, 'Content-Type': 'application/json' }, }) }

the IdP configuration is very simple:

issuer and keyid have been left blank at the moment of creation, the one you see have been automatically populated by the console, and are matching what's in the JWT.

thanks for the support,

Loris

Re: JWT 401 unauthorized

alex_colombo — Mon, 13 May 2024 09:30:14 GMT

You don't need the webintegration id, mode:CORS and credential: include. Could you please remove them and try again. Also, try to compare my request with yours and di exactly the same, it should work.

Re: JWT 401 unauthorized

LorisLombardo87 — Mon, 13 May 2024 10:03:00 GMT

Thanks Alex, still the same. unfortunately.

can you please also double check if what MPC what suggesting a few comments earlier about the sub here is correct ?

thanks

Re: JWT 401 unauthorized

alex_colombo — Mon, 13 May 2024 12:01:31 GMT

You have to use the IdP subject.
I have just tried with Postam (I guess you are using Postman) and it works. The only thing that I see here is that there is something in the certificate which you are using for generate the token, maybe a mismatch between it and the private key set in IdP configuration in MC.

Could you please check this step in JWT configuration and check if you have remove any carriage returns or line feeds existing in the text?

Re: JWT 401 unauthorized

LorisLombardo87 — Tue, 21 May 2024 15:58:36 GMT

Hi Alex, we have decided to switch to SAML.

unfortunately all the suggestions have been ineffective.

Re: JWT 401 unauthorized

alex_colombo — Wed, 22 May 2024 09:47:03 GMT

I strongly reccomend to open a support case about this.