article Qlik Sense: How to set up JWT authentication in Official Support Articles

Qlik Sense: How to set up JWT authentication

Damien_V — Mon, 21 Nov 2022 12:05:02 GMT

This article explains how to simply set up JWT authentication using Qlik Sense default certificates and test it.

Steps:

Create a new virtual proxy

This section only explains settings specific to JWT and supposes that you have set up Name, Prefix, Session cookie header name, load balancing nodes and linked a Proxy to the new virtual proxy.
These are the minimum settings required for a virtual proxy to work correctly. Please refer to the Qlik Sense Online Help "Creating a virtual proxy" as well as Qlik Sense For Administrators - JWT authentication for details.
1. In the authentication section, select JWT for authentication
2. Paste the certificate used to sign/decrypt JWT in "JWT certificate
  
  In this article, we will use the default Qlik Sense certificate located:
  
  Important note: We use Qlik Default certificates for simplicity in this article, in a Production scenario, the customer should create the key material (generate a private/public key pair for JWT signing and verification) that is managed by customer internal security policies.
3. Go to C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates
4. Open server.pem in a text editor
5. Copy the content including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- then paste it in the JWT Certificate field in the QMC > Virtual Proxy configuration.
6. Choose a value for JWT attribute for user ID and JWT attribute for user directory. That can be anything (except reserved key words for JWT claims) but it must match the values used in the JWT payload section when the JWT is generated.
7. Apply changes and close.
Generate the JWT

In this article, we will directly use the JWT debugger available on https://jwt.io to generate the token. In a real use case, the JWT library corresponding to the programming language used should be used to generate the JWT.
1. Open https://jwt.io and go to the debugger
2. Select RS256 for the algorithm
3. In the PAYLOAD box, set up your attributes previously set via QMA in Qlik Sense's virtual proxy configuration for the user ID and the user directory. (Note: Swap 'DOMAIN' with the user's directory)
4. In the Verify signature, paste server.pem (Certificate) and server_key.pem (Private key) content in the appropriate fields. Those files are both located in C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates
5. You can now copy the JWT generated in the left field and test it. This should look like:
Test the generated JWT

In order to log in with JWT, you need to inject the JWT as a header. There are various extensions available depending on your browser in order to test this.

In this example, we are using Chrome with Modheader.
1. Install ModHeader from the Chrome Web Store
2. Try to go to the hub:
  
  https://{your server name}/{prefix for JWT virtual proxy}/hub/
3. You should get a 401 error: "Could not authenticate the request: Expected an authentication header." as no header has been provided.
4. Go to ModHeader and set the following header:
  
  Header name: Authorization
  Header value: Bearer yourjwt
5. Reload the page, you should now be logged into the hub correctly.

In order to integrate your solution with Qlik Sense using JWT authentication, you will need to pass in your code the JWT token in the authorization token for the first request to Qlik Sense so that a session is created.

Re: Qlik Sense: How to set up JWT authentication

mbj — Wed, 16 Dec 2020 09:21:40 GMT

Hi,

Great example! you can also run a JWT server with qlik sense embedded in an Iframe using https://community.qlik.com/t5/Support-Knowledge-Base/Qlik-Sense-How-to-set-up-JWT-authentication/ta-p/1716226?_ga=2.107852801.261853498.1607958694-1710320291.1569419813

Re: Qlik Sense: How to set up JWT authentication

mbj — Wed, 16 Dec 2020 12:02:55 GMT

https://github.com/jackBrioschi/JWT_Iframe_QSEoW

Re: Qlik Sense: How to set up JWT authentication

masprea — Thu, 13 Apr 2023 13:54:56 GMT

What to do if the JWT has rotating keys? For example Okta and the like rotate keys every 24 hours and therefore have multiple keys enabled at any time?

Can it work with an JWK URI instead?

Re: Qlik Sense: How to set up JWT authentication

mbj — Fri, 14 Apr 2023 05:34:15 GMT

You can just replace the certs or your server and in qlik cloud by using the APIs. (Remove jwt and create new one)

<>
[qlik-cloud-localserver-jwt-IFrame.png]
QHose/qlik-cloud-localserver-jwt-IFrame: An example of using JSON web tokens to process authorization to Qlik Cloud tenant using an AWS Lambda function.<>
github.com<>

Re: Qlik Sense: How to set up JWT authentication

mbj — Fri, 14 Apr 2023 06:26:13 GMT

https://github.com/QHose/qlik-cloud-localserver-jwt-IFrame

https://github.com/QHose/qlik-cloud-localserver-jwt-IFrame/blob/d73c1c7e723dd09bb6b1bdf2f52d797ec8731e0f/configureTenant.js#L275

Re: Qlik Sense: How to set up JWT authentication

mbj — Fri, 14 Apr 2023 06:27:07 GMT

More slides around jwt and Qlik cloud security (for OEM setups): https://integration.qlik.com/?selection=AHSkk7ZCD95SYttxF

Re: Qlik Sense: How to set up JWT authentication

mbj — Fri, 14 Apr 2023 06:28:21 GMT

So the posts above were for qlik cloud, but you can also do everything on client managed with the APIs. there is not JWK uri

Re: Qlik Sense: How to set up JWT authentication

masprea — Fri, 14 Apr 2023 09:28:05 GMT

yes, I thought about it too.

The issue is that for enterprise servers, to use this API to create new or update a virtual proxy, the only solution to authenticate is using client certificate authentication, which is like a root access on Qlik. So this adds a lot of overhead and security implications and it feels of very high risk for something that could have been done by Qlik itself.

Clearly when JWT was implemented there was a lack of understanding of what the tokens are for, because any enterprise implementation would have keys rotation given that JWT is stateless and as an attack vector, one would want to reduce the surface area rotating keys as much as possible.

Could you revisit this and ask if the functionality could be added?

Re: Qlik Sense: How to set up JWT authentication

mbj — Fri, 14 Apr 2023 14:35:15 GMT

Hi

You can use any authentication method to make the REST API calls. Not only certificates. So also jwt or ticketing.

Check also evaluation.qlik.com select presentation explorer, select api or security

I already shared your insights with the product manager. And they are aware.

Re: Qlik Sense: How to set up JWT authentication

MattiasThalén — Thu, 14 Dec 2023 17:15:48 GMT

According to JWT authentication, encrypted JWT isn't supported (i.e. HTTPS). So how would one work around this?

Re: Qlik Sense: How to set up JWT authentication

Sonja_Bauernfeind — Tue, 19 Dec 2023 07:49:40 GMT

Hello @MattiasThalén

An encrypted JWT does not equal HTTPs. HTTPS is traffic encryption, which does not rely on an encrypted JWT (which you cannot use in this instance). I recommend you post about what you are trying to achieve (your requirements) in our Integration forum, where our active userbase and support agents can assist you better.

All the best,
Sonja

Re: Qlik Sense: How to set up JWT authentication

Kartik2 — Thu, 21 Dec 2023 10:15:58 GMT

I have added a virtual proxy using JWT method , i verified the public and private keys using jwt.io and created a token.
I then used Fiddler classic decryped https and added Authorization and Bearer <token generated from jwt.io> it shows succes but after using this link -
https://{your server name}/{prefix for JWT virtual proxy}/hub/ i got error 401

Then I used chrome extension Modheader added the name as "Authorization" and value as "Bearer <token generated from jwt.io> " and this worked the site was opening

But when i pause modheader and restart my chrome browser and try to open the link it again shows error 401
I gave this link to other users who didn't had Modheader extension and they also get error 401

Any Solution??

Re: Qlik Sense: How to set up JWT authentication

aldosilva6 — Wed, 12 Jun 2024 17:21:48 GMT

How can I use jwks_uri instead of JWT certificate? The only format available is .pem?

Re: Qlik Sense: How to set up JWT authentication

chrisbrain — Tue, 03 Dec 2024 12:01:37 GMT

Should these JWTs not have some sort of expiry?

Re: Qlik Sense: How to set up JWT authentication

mbj — Tue, 03 Dec 2024 16:43:23 GMT

Yes, on the latest qlik.dev post you will find those attributes

Re: Qlik Sense: How to set up JWT authentication

rchuta1 — Tue, 10 Dec 2024 09:13:24 GMT

Please, how can I get the user ID and the user directory?, thanks

article Qlik Sense: How to set up JWT authentication in Official Support Articles

Qlik Sense: How to set up JWT authentication

Steps:

Related Content:

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication

Re: Qlik Sense: How to set up JWT authentication