Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
michaelleung9447
Partner - Contributor
Partner - Contributor

Seemingly unstable JWT Authentication for Qlik SaaS Mashup

Hi All,

Recently I started to develop a POC with JWT authentication in one of my client's Qlik SaaS instance and attempted to develop a mashup without need for human interaction.

I have followed up the documentation on how to set the JWT up in developer pages Create Signed Tokens for JWT Authorization | Qlik Developer Portal and Implement JWT Authorization | Qlik Developer Portal, set up a local development node.js server for making the calls, adopted the provided JWT signing script to use the details of our client, and also configured a JWT identity provider to my node.js development server local IP address as issuer (with https enabled), with the web content policy set up for white listing it.

Everything seems to go well, and the JWT could authenticates successfully, well, most of the time:

Sucess.png

On some other occasions though, the authentication would return 401 unauthorize as a response code, with the exact same script and the exact development server instance:

Fail.png

I have therefore implemented a retry mechanism in the script to retry it at least 10 times with newly generated tokens until it returns a 200 code and successfully authenticated. Now it seems to work almost most of the time.

Still, I have no idea why the authentication would sometimes work and sometimes fail, since virtually nothing is different between a successful authentication and a failed one except that I open a new browser with incognito mode. Did anyone encounter similar issue and if so, how did you resolve it with a more efficient and robust way that is not retrying it for 10 times?

I have also attached the JavaScript script I used with all the details clear for reference. The node.js development server is the out of box setting utilizing  parcel with configuration as "scripts": { "start": "parcel --host 127.0.0.1 Page1.html --https" }. The Open SSL version is Win64OpenSSL-1_1_1q. Private key and public key generation are all the same with the tutorial.

Thanks,

Michael

Labels (3)
1 Solution

Accepted Solutions
hliang
Partner - Contributor II
Partner - Contributor II

To anyone who was pulling their hair like me in the last couple of months, check you iat during token signing, which would be set automatically to current time by default in the jsonwebtoken signing module...

Apparently due to some weird unknown reason (likely has something to do with the node.js setting etc), in my setup, the time set in the iat could sometimes be in the future (e.g., 1 min in the future), and as a result the notBefore setting, which would take iat time as its base, could sometimes be in the future as well, causing the JWT to not be valid at the time the token was generated and used...

After I forced the iat to always be at least 1 min in the past from current time, the authentication works 100% of the time as far as I can observe for now...

View solution in original post

4 Replies
Eugene_Sleator
Support
Support

Hi @michaelleung9447  does your JWT contain the required  jti and nbf attributes? 

Refer to this article;

Update-to-JWT-Authorization-for-Qlik-Sense-Cloud 

hliang
Partner - Contributor II
Partner - Contributor II

Hi Eugene,

Yes I did, the jti is set to be uuidv4().toString() and nbf is set to be 0s. And now sometimes it could not connect even after retrying for 20 times, which is very bizarre...

michaelleung9447
Partner - Contributor
Partner - Contributor
Author

Apologies, that was my other account, yes I did, the jti is set to be uuidv4().toString() and nbf is set to be 0s. And now sometimes it could not connect even after retrying for 20 times, which is very bizarre...

hliang
Partner - Contributor II
Partner - Contributor II

To anyone who was pulling their hair like me in the last couple of months, check you iat during token signing, which would be set automatically to current time by default in the jsonwebtoken signing module...

Apparently due to some weird unknown reason (likely has something to do with the node.js setting etc), in my setup, the time set in the iat could sometimes be in the future (e.g., 1 min in the future), and as a result the notBefore setting, which would take iat time as its base, could sometimes be in the future as well, causing the JWT to not be valid at the time the token was generated and used...

After I forced the iat to always be at least 1 min in the past from current time, the authentication works 100% of the time as far as I can observe for now...