Hello,

My app connects to Qlik Sense via a virtual proxy that uses JWT to handle user authentication. Normally, I hit the virtual proxy with my JWT containing the user's information and then it returns a session cookie that gets stored with my browser and is used to authenticate all future requests. This works fine usually, but if a user closes out of the browser, the session cookie is deleted and the user has to reconnect via JWT authentication. The issue I have been running into a quite often lately is where my requests for authentication are getting denied by the virtual proxy with the following message being logged:

"Jwt authentication attempt treated as a replay as a non unique jti was presented. Request will not be authenticated."

A quick google search turns up this support article: https://support.qlik.com/articles/000092118. It says that the request is denied when a non-unique JTI is presented within a 5-minute time frame. That is completely understandable, but it also doesn't seem to be the case. I tried connecting with a JWT and was denied a session because of a JTI replay attack error. I then waiting 25 minutes and tried again, but I was STILL denied a session because of a JTI replay attack error.

Is there something that I am missing? There doesn't seem to be a way to keep this error from occurring, or to change the time window. Is there a config file I can go to to disable it?

What is weird is that I have gotten this to work before by waiting 5 minutes, but it doesn't work anymore. Does the JWT get put on a permanent blacklist after a certain number of attempts?