Incorrect Redirect URL (ProxyRestURI) - Qlik Community

Anonymous · ‎2016-08-04

I implemented the ticket based authentication solution. I added proxy so that the user will be redirected to login page instead of default windows authentication. I updated authentication module redirect URI. I can see the redirection working and see no problem with basic authentication.

However, the behavior when auth cookie expires isn't consistent with normal expectation. Let's say, I am on sheet 2 of an app and the auth cookie expires, the redirection URL (ProxyRestURI) is expected to be the URI where eventually I could be redirected so that there's now need to navigate again to the app and desired sheet.

Currently, it redirects me to the hub page "always". ProxyRestURI should ideally be the same URI as the page where he was prompted to login.

P.S : We created executive dashboard that is displayed 24x7 on monitors. The time out and more importantly the redirection back to hub instead of the desired sheet is deteriorating the experience.

Current redirection url:

http://ourappserver.domain.com/login?proxyRestUri=https%3a%2f%2fqlk-sense-server%3a4243%2fqps%2fsso%...‌

Expected:

the 'proxyRestUri' query string param should ideally have the app and sheet information from which it was originally redirected.

grangerats · ‎2017-02-25

The proxyRestUri should never do what you're requesting; that's not its purpose. The proxy service (which is what issues the tickets) is completely separate from the virtual proxy ("sso") that you've setup for people to use Qlik Sense. What it appears you are saying is that the "targetId" parameter you receive is not representing a URL that the end-user could use to get back to the spot they were before they were logged out.

E.g.

A user is viewing a sheet in an App. The URL is something like so: https://qlik.domain.com/sso/sense/app/{app-GUID}/sheet/{sheet-GUID}/state/analysis
They are idle for too long and when they next try to use Qlik, it notices they're no longer authenticated, so it redirects them to the VP's configured ticket authentication Url. Based on your example, it should be something like: https://ourappserver.domain.com/login?proxyRestUri=https%3a%2f%2fqlik.domain.com%3a4243%2fqps%2fsso%...{GUID}
Your code is expected to use proxyRestUri as a base URL to get to the "ticket" endpoint to request an authentication ticket. In that request, you're required to supply the value of the "targetId" parameter you received. That "targetId" is expected to represent the URL that the browser was trying to get to when it got sent to your code to (re)authenticate.
When you successfully get a ticket back from the QPS authentication API (proxyRestUri), the "TargetId" will be replaced with a "TargetUri". And you complete the process by redirecting the browser to "TargetUri", adding in the supplied "Ticket".

So, what you're saying is that you want "TargetUri" to be this: https://qlik.domain.com/sso/sense/app/{app-GUID}/sheet/{sheet-GUID}/state/analysis

But instead it is this: https://qlik.domain.com/sso/hub/

PS: I'm on QS v3.2 and I haven't had time to experience a logout via a timeout, so I don't know if behavior has changed since you originally posted.

duzunic88 · ‎2017-03-15

I am having the same issue here. We built a custom login page, that works with taking you to the hub but if I wanted to send someone a link to a mashup url for example and they are not authenticated, they will get taken to the login page and then the hub. The user would then have to paste the mashup url again to get to the mashup.

By default qlik does this well. Send someone a url, they login, and they are taken to the requested url. However, with a custom login page you end up at the hub instead of the page requested.

Is there a work around for this?