I'm trying to use QPS API to get a ticket for to be used in a Flask web server by using a mashup iframe.
When I run the attached code:
- It doesn't return me any ticket, it returns a 403 error instead due to XSRF
- It offers me a login form despite the wrong ticket (virtual proxy configured to use form authentication)
- Once I log in the iframe, it shows the mashup correctly
My setup:
- Qlik Sense Server Enterprise 2022
- Annonymous access mode: no
- Authentication method: Ticket
- Windows authentication pattern: forms
- has secure attribute (https): checked
- SameSite attribute (https): None
- Hosts white list: empty (using just one QS server)
- I created cert/key/root files exported from the QMC/Certificates (weird, because once it were exported I stopped watching them listed at QMC/Certificates)
- Certificates were converted to .pem using openssl. "client.pem" file contains both: a private key and a certificate
- Engine\Settings.ini configured with:
EnableTTL=1
SessionTTL=30
(and extra CR-LF line)
Why am I receiving this 403 error? How could I solve it?
Why is it still possible to use the mashup whithout any proper ticket?
The output log:
InsecureRequestWarning: Unverified HTTPS request is being made to host 'analytics.mycompany.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
127.0.0.1 - - [13/Jul/2023 11:00:28] "GET / HTTP/1.1" 200 -
QPS_API_URL https://analytics.mycompany.com:4243/qps/testmashup/ticket?xrfkey=123456789abcdef
ticket: XSRF prevention check failed. Possible XSRF discovered.
response: <Response [403]>
response.reason: Forbidden
The python code:
from flask import Flask, render_template_string
import requests
app = Flask(__name__)
QLIK_SENSE_SERVER_DOMAIN='analytics.mycompany.com'
USER_DIRECTORY = 'MYCOMPANYAD'
USER_ID = 'myuser' # Root Admin user
XRF_KEY = '123456789abcdefg' # You can change this
PROXY_PREFIX = 'testmashup' # Your virtual proxy prefix
QPS_API_URL = f"https://{QLIK_SENSE_SERVER_DOMAIN}:4243/qps/{PROXY_PREFIX}/ticket?xrfkey={XRF_KEY}"
QPS_HEADERS = {
'content-type': 'application/json',
'X-Qlik-xrfkey': XRF_KEY,
'X-Qlik-user': f'UserDirectory={USER_DIRECTORY};UserId={USER_ID}'
}
assert len(XRF_KEY)==16, f'''XRF_KEY ERROR. XRF_KEY={XRF_KEY} len={len(XRF_KEY)}
XRF_KEY must be alphanumeric and 16 characters length.
See https://community.qlik.com/t5/Integration-Extension-APIs/403-XSRF-when-calling-QPS-API-iframe-mashup-code-using-python/m-p/2093779/highlight/true#M18855 '''
MASHUP_URL = f"https://{QLIK_SENSE_SERVER_DOMAIN}/{PROXY_PREFIX}/extensions/TestMashup/TestMashup.html"
@app.route('/')
def serve_page():
ticket = get_ticket(USER_DIRECTORY, USER_ID)
iframe_src=f"{MASHUP_URL}?QlikTicket={ticket}"
html = f"""<!DOCTYPE html>
<html style="height: 100%;">
<body>
<iframe src="{iframe_src}" frameborder="0" scrolling="yes" seamless="seamless" style="display:block; width:100%; height:100vh;"></iframe>
</html>"""
return render_template_string(html)
def get_ticket(user_directory, user_id):
payload = {
"UserDirectory": user_directory,
"UserId": user_id,
"Attributes": []
# "TargetId": targetId, # what is actually this targetId ???
}
response = requests.post(QPS_API_URL, headers=QPS_HEADERS, json=payload, \
cert=(r'client.pem', \
r'client.pem'), \
verify=False)
# response.raise_for_status() # Raises stored HTTPError, if one occurred.
ticket = response.text
print("QPS_API_URL", QPS_API_URL)
print("ticket: ", ticket)
print("response: ", response)
print("response.reason: ", response.reason)
return ticket
if __name__ == "__main__":
app.run(port=8080)
