Solved: OIDC Setup – "Failed to decrypt ID token" Error wi... - Qlik Community

eyalnir_qlik · ‎2026-01-18

Hi everyone,

I'm trying to set up an OIDC connection between Qlik Cloud and Azure AD, but I'm encountering the following error during the validation step:

{ "status": "error", "protocol": "OIDC", "error": "Failed to decrypt ID token", "traceId": "<hidden>" }
Setup details:

Protocol: OIDC
Identity Provider: Azure AD
Redirect URI: https://<tenant>.<region>.qlikcloud.com/login/callback
(this URI is configured both in Azure and in Qlik)

What I've tried so far:

ID token issuance is enabled (enableIdTokenIssuance: true)

Implicit grant flow is enabled

Optional claims are configured: upn, email, groups

A client secret is registered

The app is registered as AzureADMyOrg

I'm not intending to encrypt the ID token, and have not configured any tokenEncryptionKeyId.

Still receiving the "Failed to decrypt ID token" error.

Try to understand :

Why would Qlik try to decrypt the token if no encryption was configured

Could this be caused by missing or misconfigured claims

Has anyone else encountered this ?

Thanks in advance for any suggestions or insights

Eyal

@Benoit_C

eyalnir_qlik · ‎2026-02-15

After a lot of digging, we found the root cause in a customer's environment:

There was a duplicate Identity Provider (IdP) configured in the Qlik Cloud tenant.
Although only one was actively in use (Azure AD), the existence of another IdP caused Qlik to fail during token processing likely due to domain overlap or internal ambiguity.

Qlik only supports a single IdP per tenant ,silently fail with misleading errors in this case:
"Failed to decrypt ID token"

Once the unused IdP was removed and only the correct one remained, the issue was resolved.

Suggestion to Qlik: This kind of case would benefit from a clearer error message.
For example:
"Multiple IdPs detected for this Qlik Cloud tenant. Please ensure only one is active."
…would make the issue easier to identify and resolve.

View solution in original post

Bjorn_Wedbratt · ‎2026-01-19

Hi, afak Qlik Cloud does not support implicit grant flow, instead try and use an authorization code flow in Azure AD (Entra) See if that helps.

Best,

Bjorn

eyalnir_qlik · ‎2026-01-21

Thanks for the reply, @Bjorn_Wedbratt
Just to clarify, we actually started without the implicit grant flow, following both Qlik and Azure documentation, and got the same error: "Failed to decrypt ID token".
Only after that did we try enabling implicit as a workaround, but it made no difference.
Also, we noticed that the enableIdTokenIssuance: true flag does not actually appear in the app manifest.
In any case, we're still getting the same error.

JanJorissen · ‎2026-01-23

Hi Eyal

Does the manifest include the following?:
"accessTokenAcceptedVersion": 2

In the issuer URL, did you add v2.0?
<TENANT_ID>/v2.0

In the Azure logs, can you see that sign-in = Success, while Qlik fails with decrypt ID token?

eyalnir_qlik · ‎2026-01-25

Hi @JanJorissen

No, it doesn't, see their manifest attached (blurred sensitive details)

also will check the logs for == success

Thanks

eyalnir_qlik · ‎2026-02-15

After a lot of digging, we found the root cause in a customer's environment:

There was a duplicate Identity Provider (IdP) configured in the Qlik Cloud tenant.
Although only one was actively in use (Azure AD), the existence of another IdP caused Qlik to fail during token processing likely due to domain overlap or internal ambiguity.

Qlik only supports a single IdP per tenant ,silently fail with misleading errors in this case:
"Failed to decrypt ID token"

Once the unused IdP was removed and only the correct one remained, the issue was resolved.

Suggestion to Qlik: This kind of case would benefit from a clearer error message.
For example:
"Multiple IdPs detected for this Qlik Cloud tenant. Please ensure only one is active."
…would make the issue easier to identify and resolve.

OIDC Setup – "Failed to decrypt ID token" Error with Azure AD

Integration

SaaS