JWT 401 unauthorized

LorisLombardo87 · ‎2024-05-09

Hi all,

i'm trying to login to qlik using a JWT token but when i try to post to https://horsadev.eu.qlikcloud.com/login/jwt-session with the the web integration id and the bearer token i get the following error.

the token is made up like this:

user details: name sub and email are the exactly like the console.

any idea of what can go wrong here?

thanks,

Loris

mpc · ‎2024-05-09

Hi,

Can you check if the token isn't expired yet ?

Kind regard

From Next Decision and mpc with love
It helps, like it, It solves, mark it

LorisLombardo87 · ‎2024-05-09

thanks for the suggestion Mpc

the token is created with jsonwebtoken I've tried various configurations of expiresIn from 30s to 60m and it is anyway consumed just after its creation, always the same result unfortunately.

Loris

mpc · ‎2024-05-09

Ok, I assume you've followed this guide: https://community.qlik.com/t5/Member-Articles/Enhanced-Guide-Embedding-Qlik-Cloud-Content-with-JWT/t...

From Next Decision and mpc with love
It helps, like it, It solves, mark it

LorisLombardo87 · ‎2024-05-09

no i haven't, there are so many qlik guides on this topic on line 😅...

the interesting bits on that guide though is the mention of the sub field, I've used the one that I can get clicking on the i icon in the users list.

is it the same as the one I can get with https://yourcloudtenant/api/v1/users/me ?

in general what should this sub field (claim) be?

mpc · ‎2024-05-09

You should use the one provided by the URL its return. It's not the one you cand find on the (i) icon in the QMC.
Moreover, in the final script, you will use ttps://yourcloudtenant/api/v1/users/me to affect the right sub to the user who attempt to log in.

From Next Decision and mpc with love
It helps, like it, It solves, mark it

LorisLombardo87 · ‎2024-05-09

just to be 100% clear shall I use the one highlighted in red here ?

mpc · ‎2024-05-09

Yes, it's not the good one, you shoud use the Qlik one beggining by 6 in your screnshot

From Next Decision and mpc with love
It helps, like it, It solves, mark it

LorisLombardo87 · ‎2024-05-10

I think the issue might be somewhere else, the error message doesn't change if I add one or the other.

if i look at that guide i cannot see any other suspect element...

any other suggestion ?

alex_colombo · ‎2024-05-10

Hey @LorisLombardo87 , token seems to be correct. I'm sharing how I create it with jsonwebtoken.

Can you post your JWT IdP configuration set in Management Console and you HTTP request?

const private_key = fs.readFileSync("./key/privatekey.pem", "utf8");

const tenantHost = 'saas.qlikcloud.com';

const id = {
    email: `email@qlik.com`,
    name: "Alex Colombo",
    sub: `idp_subject`
};

const signingOptions = {
    keyid: "keyId",
    algorithm: "RS256",
    issuer: "saas.qlikcloud.com",
    expiresIn: "1m",
    notBefore: "0s",
    audience: "qlik.api/login/jwt-session",
};

const payload = {
    jti: crypto.randomBytes(16).toString("hex"),
    sub: id.sub,
    subType: "user",
    email_verified: true,
    email: id.email,
    name: id.name,
    groups: id.groups,
};

const token = jsonwebtoken.sign(payload, private_key, signingOptions);

console.log(token);

setTimeout(async () => {
    const resp = await fetch(`https://${tenantHost}/login/jwt-session`, {
        method: "POST",
        headers: {
        Authorization: `Bearer ${token}`,
        },
    });
    const resp2 = await fetch(`https://${tenantHost}/api/v1/items?resourceType=app`, {
        headers: {
        Authorization: `Bearer ${token}`,
        },
    });

    console.log('resp status: ', resp2.status)
}, 200)

API

Integration

SaaS