Solved: JWT suddenly stopped working (401 unauthorized) - Qlik Community

pdimitrakis · ‎2024-07-09

Hello,

We have been using JWT authentication to access a mashup webpage since 03/2024.

We needed some help then as seen in our question back then:

https://community.qlik.com/t5/Integration-Extension-APIs/JWT-authentication-in-mashup/m-p/2435434

Ten days ago, the JWT authentication suddenly stopped working and all requests from various browsers and pc is the same:

{
    "errors": [
        {
            "title": "Unauthorized",
            "code": "AUTH-1",
            "status": "401"
        }
    ],
    "traceId": "51a5bfec3f6a857bed9dc7fb96cc23a6"
}

We already tried recreating the key pair to test if that was the root of the problem, with no success.

Any thoughts?
Thanks in advance

pdimitrakis · ‎2024-07-10

The problem was the setting of the following two parameters in the token.

Not before (nbf): identifies the starting time on which the JWT is accepted.
Issued at (iat): identifies the time at which the JWT was issued.

We are creating the JWT token in PHP as follows:

$the_time = time() - 10; (start time is before 10 seconds)

$exp_time = $the_time + 60 * 60; (expiration time is 60 minutes after the start)

and in the token:


{
"jti": 1720591311,
"iss": "issuer",
"aud": "qlik.api/login/jwt-session",
"sub": "6456c639a7ec9b1be923689c",
"subType": "user",
"iat": $the_time,
"nbf": $the_time,
"exp": $exp_time,
"name": "John Doe",
"email": "name@domain.com",
"email_verified": true
}

The problem was in the 10 seconds setting.

Setting the issue time and not before time to 5 minutes ago did the trick.

$the_time = time() - 300; (start time is before 300 seconds)

It seems that somehow the Qlik tenant time got desynchronized over time since the original setting with the 10 seconds interval worked like a charm for 3 months.

I hope my notes are useful to others.

View solution in original post

pdimitrakis · ‎2024-07-10