Solved: Creating an API key for another user - Qlik Community

master_t · ‎2023-04-21

Hello

I have developed a C# application that connects to QS Enterprise using a client certificate, and thus can impersonate any user when connecting to the Qlik Sense engine.

Now some of my clients are moving to Qlik Sense SaaS and I need a way to do the same thing: connect to the Qlik engine as an arbitrary user.

However, I can't find a way to do it.

My idea was using an API key of a user with the "developer" and "tenant admin" roles to invoke the following REST API:

https://qlik.dev/apis/rest/api-keys#%23%2Fentries%2Fv1%2Fapi-keys-post

to create a short-lived API key for the specific user I have to impersonate and then use the freshly generated key to connect as that user.

However, even though the request body for that API includes a "sub" parameter to set the subject for the key, the api call returns a "403 - Forbidden" error if the "sub" parameter is anything other than the ID of the user that is making the API invocation.

So... is there a solution to this? What is the correct solution to connect impersonate another user when connecting to Qlik SaaS?

Øystein_Kolsrud · ‎2023-04-24

I'm not sure what the best way to do this is, but it's possible to accomplish impersonation for QCS using JWT authentication. I experimented with this some time ago, and I guess that's the closest you get to using direct connection using certificates in the on-prem version of the product. It's not trivial to set up though, and it involves you generating a certificate to use, as well as configuring your tenant to accept it. You can find a basic example of how to do it here:

https://github.com/kolsrud/qlik_rest_sdk/blob/master/Qlik.Sense.RestClient/Examples/QcsConnectJwt/Pr...

That library also includes a class "QcsJwtFactory" that's intended to simplify the JWT generation once a private key is available.

You can find information on how to configure JWT authentication for your tenant here: https://qlik.dev/authenticate/jwt/implement-jwt-authorization

And of course... Security might be a concern here... Once you have that flow set up you have pretty much opened up a new door to get into the system.

View solution in original post

Øystein_Kolsrud · ‎2023-04-24

I'm not sure what the best way to do this is, but it's possible to accomplish impersonation for QCS using JWT authentication. I experimented with this some time ago, and I guess that's the closest you get to using direct connection using certificates in the on-prem version of the product. It's not trivial to set up though, and it involves you generating a certificate to use, as well as configuring your tenant to accept it. You can find a basic example of how to do it here:

https://github.com/kolsrud/qlik_rest_sdk/blob/master/Qlik.Sense.RestClient/Examples/QcsConnectJwt/Pr...

That library also includes a class "QcsJwtFactory" that's intended to simplify the JWT generation once a private key is available.

You can find information on how to configure JWT authentication for your tenant here: https://qlik.dev/authenticate/jwt/implement-jwt-authorization

And of course... Security might be a concern here... Once you have that flow set up you have pretty much opened up a new door to get into the system.

master_t · ‎2023-04-26

Thanks, I've done some initial testing and it seems to work.

Since the tool I'm writing is highly automated, I wanted to minimize the setup required by having it automatically setup the JWT Identity Provider and Web Integration to make everything work.

However, while there is an API that allow you to create a new Identity Provider, I can't find one to create a new Web Integration... is creating a new Web Integration possible via REST API, or that part needs to be set up manually?

master_t · ‎2023-04-26

Nevermind, I found it, it was in another section of the dogs.

Answer accepted.