Solved: Re: Qlik Sense SaaS - Generating an api-key in an ... - Qlik Community

1emerson · ‎2022-01-31

Is it possible to generate an api-key for my user from within an authenticated mashup?

I have a mashup that has been authenticated successfully according to the instructions here.

The mashup is able to make subsequent calls to query the api-keys endpoint in order to determine whether the current user has an api-key. Therefore I am certain I have configured and connected to my tenant from within the mashup.

The sticky point is when the code attempts to create a new api-key

        fetch("https://"+config.host+"/api/v1/api-keys", {
            method: 'POST',
            mode:'cors',
            credentials: 'include',
            headers: {
               'Content-Type': 'application/json',
               'qlik-web-integration-id': config.webIntegrationId,
               'qlik-csrf-token': csrfToken
            },
            body : JSON.stringify({
            "description": 'my-generated-key',
            "subType": "user",
            "sub": <my user id>
         })
         })

This results in a 403 forbidden response.

If the user already has a known api-key, then I'm able to generate new ones by passing the Authorization header as described in the REST documentation. However, the use case dictates that the user may not already have a known api-key.

Thanks in advance!

Damien_V · ‎2022-02-10

Hello @1emerson

I have checked internally with our R&D and this is a product limitation.

"Admin" and "Developer" roles are stripped off the request when running in CORS mode and as generating an API key requires the "Developer" role then it's not possible to perform that action in a mashup.

Hope that helps.

If the issue is solved please mark the answer with Accept as Solution.

View solution in original post

Akshesh_Patel · ‎2022-02-08

Hi,

Try this JS :

var config = {
    host: 'yourtenant.eu.qlikcloud.com',
    prefix: '/',
    port: 443,
    isSecure: true,
    webIntegrationId: '0pEp-l03lPxDawQxhOSWjKqO_Ckw1WYn'
};

//Redirect to login if user is not logged in
async function login() {
      function isLoggedIn() {
        return fetch("https://"+config.host+"/api/v1/users/me", {
          method: 'GET',
          mode: 'cors',
          credentials: 'include',
          headers: {
            'Content-Type': 'application/json',
            'qlik-web-integration-id': config.webIntegrationId,
          },
        }).then(response => {
          return response.status === 200;
        });
      }
      return isLoggedIn().then(loggedIn => {
        if (!loggedIn) {	  
            window.location.href = "https://"+config.host+"/login?qlik-web-integration-id=" + config.webIntegrationId + "&returnto=" + location.href;
            throw new Error('not logged in');
        }
      });
    }
login().then(() => {
    require.config( {
    baseUrl: ( config.isSecure ? "https://" : "http://" ) + config.host + (config.port ? ":" + config.port : "") + config.prefix + "resources",
    webIntegrationId: config.webIntegrationId
} );			

require( ["js/qlik"], function ( qlik ) {
	qlik.on( "error", function ( error ) {
		$( '#popupText' ).append( error.message + "<br>" );
		$( '#popup' ).fadeIn( 1000 );
	} );
	$( "#closePopup" ).click( function () {
		$( '#popup' ).hide();
	} );
    //open apps -- inserted here --
	var app = qlik.openApp( '8120d03d-3902-4f4e-b0f1-3fee539227ad', config );
	
    //get objects -- inserted here --
	app.visualization.get('DKnjQAk').then(function(vis){
    vis.show("QV01");	
	} );
    
} );});

Credit full reference link : https://community.qlik.com/t5/Knowledge/How-to-create-a-mashup-in-Qlik-Sense-Enterprise-on-SaaS/ta-p...

1emerson · ‎2022-02-08

Thanks for the attention. However, I don't see the example described in your reply invoking the create API key REST endpoint. Create API Key

This looks like it opens an App and pulls some content back to the html page.

The crux of my problem is being able to create a new api key from a mashup which has been authenticated to Qlik SaaS

I appreciate the reply,

Dan

Akshesh_Patel · ‎2022-02-08

Hi,

Thanks, what I am thinking is that to generate or delete API keys, you must have the role of developer. Does the user have at least a developer role and professional license assigned in SaaS?

1emerson · ‎2022-02-08

Yes, the user has the role of Developer and is designated as "Professional".

I'm able to create new keys for this user with the REST API (by passing the Authorization header with an existing api key). So I am pretty sure that the entitlements are correct.

Akshesh_Patel · ‎2022-02-08

did you check in the developer tool and see if any CSPs are blocking the request and try adding that to SaaS?

1emerson · ‎2022-02-09

I guess I'm not connecting the dots with the Content Security Policy recommendation as to how that might help. My mashup is able to invoke other REST API requests. For example, I can successfully describe an exiting API key (using the GET /api-keys/{id}) after the mashup is authenticated. Therefore the Content Security Policy is allowing requests, just not the specific create API key request mentioned above.

Damien_V · ‎2022-02-10

Hello @1emerson

I have checked internally with our R&D and this is a product limitation.

"Admin" and "Developer" roles are stripped off the request when running in CORS mode and as generating an API key requires the "Developer" role then it's not possible to perform that action in a mashup.

Hope that helps.

If the issue is solved please mark the answer with Accept as Solution.

1emerson · ‎2022-02-11

I sort of suspected as much. The documentation was pretty clear here regarding disallowing operations involving TenantAdmin role within a web integration. It also does state what you wrote about running as a "regular user".

Thanks for confirming that Developer operations are also restricted to using API Keys.

Kind Regards,

Qlik Sense SaaS - Generating an api-key in an authenticated mashup