Qlik Community

Ask a Question

Integration, Extension & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Announcements
QlikWorld Online 2021, May 10-12: Our Free, Virtual, Global Event REGISTER TODAY
cancel
Showing results for 
Search instead for 
Did you mean: 
frank_packer_at
Partner
Partner

JWT Authentication with Okta bearer token

Hi All,

I'm working on a project that integrates an Angular SPA with a MSSql db back-end and Qlik Sense (Nov 19). I'm using Okta for my IDP and have it set up as follows:

Okta sign-in widget on SPA login page. User logs in and following this my SPA communicates with my db APIs by sending a JWT Authorization bearer token that was generated by Okta on login. I've set up my db to validate the incoming token to provide access and set the db user. This validation is done remotely via Okta's provided method, and this is all working great.

My challenge is to now integrate Qlik with this ecosystem, and I believe that I should be able to set up a JWT virtual proxy to receive the same token that Okta generated. Okta does not provide a public key certificate in PEM format for me to use in setting up the virtual proxy, but they do provide a JWKS that looks like the following example:

{
"keys":[
{
"kty":"RSA",
"alg":"RS256",
"kid":"nxbkkwOi08tlMmhhQSbKEBkEcd3IhlhfRTzwHOXl1xc",
"use":"sig",
"e":"AQAB",
"n":"wCIBXVwe9nalkjTb4l2vfp5mDowaL2YoqIr71P0WxDpTIIRuITx7NqNijpOkQ_795YkWMZt8Z9LRRnyf-VA3EE2l9p64sqoCsAG_AJ07YFaPoohkxSq8tJ8nJ01XGco-OuTs3uviSMcZ0eQHC7RdaG7ARe-IglfBkKUfzLHuElO3kH3VanG7_Ageb1hl1DWhiHlqtCCaq9XZVeMbfpcLkU_doE9QThxEN9pZjff83X47qxSwNe9LPWurD-xQ5C0QonSO-VIdpGobEVKHlqu6AYX0H7VEk3H4SNjAr04EagHy6EGktBAMc081SPpMWWUeQuGrmqDPGECed_wBLkUMRQ"
}
]
}

I can convert this to a PEM certificate, however Qlik rejects it with the error message that the certificate is invalid.

I'm aware that there is an out-of-the-box method for integrating Qlik and Okta, however there is a specific reason for using JWT rather than SAML in this case.

Any help in setting up a virtual proxy to receive and validate the bearer token from Okta would be greatly appreciated!

 

 

8 Replies
Harsh_Gohil
Partner
Partner

hi,

Yes because Qlik have their own certificates.

If you are using some opensource certificates it will gives you error.

Just use Qlik certificate and try.

 

Thanks Regards,

Harsh Gohil

frank_packer_at
Partner
Partner
Author

Thanks Harsh,

Thanks for the reply.

That's not going to work, unfortunately, because Okta will not use the private key provided by Qlik to generate the token. The token is generated by Okta, and the public key certificate is needed to validate it.

Harsh_Gohil
Partner
Partner

hey,

Did you try this method?

https://help.qlik.com/en-US/sense/June2019/Subsystems/ManagementConsole/Content/Sense_QMC/SAML-confi...

try this steps if it will helps you 🙂

frank_packer_at
Partner
Partner
Author

Hi Harsh,

There's a requirement on this project to use JWT, rather than SAML, so I can't use that method.

frank_packer_at
Partner
Partner
Author

Update:

I've been in contact with Okta and can confirm that the certificate generated from the JWKS is valid. I've been able to test that the token and public key certificate are both valid by verifying them on jwt.io and can confirm that the algorithm is RS256, which is supported by Qlik.

Everything works great up to this point, however Qlik is still showing the 'Invalid Public Key Certificate' error when the certificate is entered in the virtual proxy configuration screen.

I can't see a reason for Qlik to be refusing to accept the certificate, since it can be confirmed as valid by jwt.io and will successfully decode and validate the payload of the bearer token. 

Harsh_Gohil
Partner
Partner

hello,

i dont have any idea but when i was trying to connect with qlik  using nodejs that time i have to pass certificates also we have to add one header called certificate = NULL.

so try with your method  put certificates = Null, if you have this type of option.

might work for you 🙂

Thanks

 

rbpeterson2
Contributor III
Contributor III

Hi @frank_packer_at  - we are having the same issue with another Ident provider - were able to solve?

jaclag
Contributor
Contributor

Hi all. I see that we have the same expectations about making Qlik work with JWT authentication. We made it so I'm sharing the solution, hoping it will help you.

The different examples that you can find on the web are using the Qlik server's certificate for signing the JWT. It's quite confusing ... You have to use the certificate provided by your IdP. You can get it from the discovery mechanism provided by OIDC protocol. Here are the steps :

- Open the discovery page of your IdP :

 

https://your.idp.server/.well-known/openid-configuration

 

- The response is a json. Look at the jwks_uri field, and go to this uri. In my case : https://your.idp.server/.well-known/openid-configuration/jwks but could be different for you).

- The response is another json describing the keys used for signing the JWT. The specification (JWK) is here : https://tools.ietf.org/html/rfc7517#section-4. It's the same content of what received @frank_packer_at at the top of this topic.

- The public certificate used to sign the JWT should be provided in the x5c attribute (for me, at least ...). Following the specification, it's a base_64 encoded DER binary file. From this string, you can create the file with some tools, for example on linux I'm doing this (some tools should be available in Windows, I'm not very familiar with the Windows console) : 

 

echo 'MII...your...certificate...base64...string' | base64 -d > idp.der

 

- You can check that the certificate is ok :

 

openssl x509 -inform der -in idp.der -text -noout

 

- Then convert the DER binary file to a PEM format :

 

openssl x509 -inform der -in idp.der -out idp.pem

 

- Paste the content of this PEM file in the JWT Virtual Proxy configuration in Qlik, and it should work.

- To be able to check that everything is OK, you can extract the public key from the certificate and paste it on jwt.io to check the signature of your JWTs. For this, get the pub file and paste the content on jwt.io :

 

openssl x509 -pubkey -noout -in idp.pem > idp.pub

 

- After this, you have to configure the claims in which Qlik should read the userId and directoryId, and the value of the aud claim (Audience) that Qlik should check to allow the JWT. Once the user is authenticated by the proxy, you should provide him for a license. For this you can rely on the claims (attribute mapping in the Virtual Proxy) or on other attributes if you synchronize the directory with UDC (which is not mandatory, as Qlik creates the users in the directory when they authenticate).

- We made it work with a SPA transparent page hosted in a Qlik extension (like a mashup), using an oidc javascript client. What's next is to be able to redirect to this page when the session has ended, so we are working on this. If you have an option for this, please share 🙂

Hope this helps !

Bests

Julien