Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
pasi_lehtinen
Partner - Contributor III
Partner - Contributor III

Extension not available with virtual proxy (header auth)

I am having troubles with accessing extensions when I am accessing Qlik Sense via a virtual proxy which is using header authentication.

I first noticed this when using a mashup which is trying to embed qlik extensions into the page. In the console log I can see the following error (403 Forbidden): 

pasi_lehtinen_1-1639662493436.png

From the error message I can see that the xrfkey of the GET request differs from the one which is used in the initial header authentication. 

Here are the settings from QMC (virtual proxy):

pasi_lehtinen_3-1639663027310.png

 

I would assume that xrfkey is causing XSFR check failure, but I am not sure how to fix it. 

In the actual authentication we are defining the X-Qlik-Xrfkey and other headers as supposed. The authentication is working properly. For some reason our mashup is using different xrfkey when trying to access extensions via qrs API.

Any ideas how to fix the issue?

Update: 

here is the screenshot of the object from the hub (when using the same virtual proxy and header authentication):

pasi_lehtinen_0-1639663306976.png

 

 

Labels (4)
1 Solution

Accepted Solutions
Damien_Villaret
Support
Support

@pasi_lehtinen You should just need to inject the hdr-usr header.

Do not modify the other headers as it may cause some functionality to fail.

If the issue is solved please mark the answer with Accept as Solution.

View solution in original post

8 Replies
ErikWetterberg

The call /qrs/extension/schema is the one used to list available extensions. Does the call include your virtual proxy?? If not check that you include the virtual proxy in your require config.

pasi_lehtinen
Partner - Contributor III
Partner - Contributor III
Author

Thank you for your reply.

Yes, the call includes the virtual proxy. I also checked the mashup require config. Here is a screenshot of the configurations ( require.config is generated with a dynamic references )

pasi_lehtinen_0-1639727280757.png

 

 

pasi_lehtinen
Partner - Contributor III
Partner - Contributor III
Author

By the way, the same mashup works perfectly in our other environment which is using SAML authentication instead of header authentication. 

pasi_lehtinen
Partner - Contributor III
Partner - Contributor III
Author

I tested the call to .../qrs/extension/schema with postman simultaneously while having a session open (in my browser). The strange this is that my request works as long as I pass the same xrfkey as query parameter as I have in my open session (in browser). As soon as I change the xrfkey, I get error:  XSRF prevention check failed. Possible XSRF discovered.

Here is also the screenshot from the postman:

pasi_lehtinen_0-1639730966748.png

Seems like I need to some how handle the xrfkey when my mashup is trying to access the extensions, but unfortunately the xrfkey is outside of my control?

Andre_Sostizzo
Digital Support
Digital Support

@pasi_lehtinen , @Damien_Villaret may can assist here.

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up! 🙂
Damien_Villaret
Support
Support

Hello @pasi_lehtinen 

Am I understanding correctly here that you are overwritten the x-qlik-xrfkey header with your own value ?

"In the actual authentication we are defining the X-Qlik-Xrfkey and other headers as supposed."

The xrfkey / x-qlik-xrfkey are generated automatically by Qlik Sense and shouldn't be overwritten.

The only time you need to set the xrfkey / x-qlik-xrfkey is when you are calling the Qlik APIs from your code, which is not the case here.

If the issue is solved please mark the answer with Accept as Solution.
pasi_lehtinen
Partner - Contributor III
Partner - Contributor III
Author

Thank you @Damien_Villaret for your response. Okey, I understand.

Are you able to explain further how the header authentication should be configured? We have set up the environment with virtual proxy which is utilizing header authentication. 

  • Should I just leave the xrfkey away when redirecting users into the mashup? So the URL would not include any query parameter and also I would leave the X-Qlik-xrfkey way?
  • Should I still apply other headers (hdr-usr & Content-Type)? 

 

Damien_Villaret
Support
Support

@pasi_lehtinen You should just need to inject the hdr-usr header.

Do not modify the other headers as it may cause some functionality to fail.

If the issue is solved please mark the answer with Accept as Solution.