Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
master_t
Partner - Creator II
Partner - Creator II

Creating an API key for another user

Hello

I have developed a C# application that connects to QS Enterprise using a client certificate, and thus can impersonate any user when connecting to the Qlik Sense engine.

Now some of my clients are moving to Qlik Sense SaaS and I need a way to do the same thing: connect to the Qlik engine as an arbitrary user.

However, I can't find a way to do it.

My idea was using an API key of a user with the "developer" and "tenant admin" roles to invoke the following REST API:

https://qlik.dev/apis/rest/api-keys#%23%2Fentries%2Fv1%2Fapi-keys-post

to create a short-lived API key for the specific user I have to impersonate and then use the freshly generated key to connect as that user.

However, even though the request body for that API includes a "sub" parameter to set the subject for the key, the api  call returns a "403 - Forbidden" error if the "sub" parameter is anything other than the ID of the user that is making the API invocation.

So... is there a solution to this? What is the correct solution to connect impersonate another user when connecting to Qlik SaaS?

Labels (2)
1 Solution

Accepted Solutions
Øystein_Kolsrud
Employee
Employee

I'm not sure what the best way to do this is, but it's possible to accomplish impersonation for QCS using JWT authentication. I experimented with this some time ago, and I guess that's the closest you get to using direct connection using certificates in the on-prem version of the product. It's not trivial to set up though, and it involves you generating a certificate to use, as well as configuring your tenant to accept it. You can find a basic example of how to do it here:

https://github.com/kolsrud/qlik_rest_sdk/blob/master/Qlik.Sense.RestClient/Examples/QcsConnectJwt/Pr...

That library also includes a class "QcsJwtFactory" that's intended to simplify the JWT generation once a private key is available.

You can find information on how to configure JWT authentication for your tenant here: https://qlik.dev/authenticate/jwt/implement-jwt-authorization

And of course... Security might be a concern here... Once you have that flow set up you have pretty much opened up a new door to get into the system.

View solution in original post

3 Replies
Øystein_Kolsrud
Employee
Employee

I'm not sure what the best way to do this is, but it's possible to accomplish impersonation for QCS using JWT authentication. I experimented with this some time ago, and I guess that's the closest you get to using direct connection using certificates in the on-prem version of the product. It's not trivial to set up though, and it involves you generating a certificate to use, as well as configuring your tenant to accept it. You can find a basic example of how to do it here:

https://github.com/kolsrud/qlik_rest_sdk/blob/master/Qlik.Sense.RestClient/Examples/QcsConnectJwt/Pr...

That library also includes a class "QcsJwtFactory" that's intended to simplify the JWT generation once a private key is available.

You can find information on how to configure JWT authentication for your tenant here: https://qlik.dev/authenticate/jwt/implement-jwt-authorization

And of course... Security might be a concern here... Once you have that flow set up you have pretty much opened up a new door to get into the system.

master_t
Partner - Creator II
Partner - Creator II
Author

Thanks, I've done some initial testing and it seems to work.

Since the tool I'm writing is highly automated, I wanted to minimize the setup required by having it automatically setup the JWT Identity Provider and Web Integration to make everything work.

However, while there is an API that allow you to create a new Identity Provider, I can't find one to create a new Web Integration... is creating a new Web Integration possible via REST API, or that part needs to be set up manually?

master_t
Partner - Creator II
Partner - Creator II
Author

Nevermind, I found it, it was in another section of the dogs.

Answer accepted.