Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Woohoo! Qlik Community has won “Best in Class Community” in the 2024
Khoros Kudos awards!
Hello
We are trying to use the JWT token to authorize users in our tenant. Unfortunately, we are constantly getting a "No identity-provider is able to complete the exchange" error message.
What we did:
1. We created a JWT Identity provider
2. We configured Content Security Policy
3. We added Web integration
4. We generated a JWT token for the previously created user
Payload
payload ={
'sub': 'AbVUmy-qm52KYnW3LLUMVj8XL9b_w_Xw',
'subType': 'user',
'name': 'Anton Akhramovich',
'email': 'anton.akhramovich@leverx.com',
'email_verified': True,
'iat': datetime.now(tz=timezone.utc),
'exp': datetime.now(tz=timezone.utc) + timedelta(hours=6),
'iss': 'ipivg15a4pg4614.us.qlikcloud.com',
'aud': 'qlik.api/login/jwt-session',
'groups': ["Analytics Admin", "Data Admin", "Data Space Creator", "Developer", "Managed Space Creator",
"Shared Space Creator", "Tenant Admin"],
}
Signing option
options = {
"keyid": "a9e1e157-b9a1-40da-8926-
"issuer": "ipivg15a4pg4614.us.qlikcloud.
"expiresIn": "6h",
"algorithm": "RS256",
"audience": "qlik.api/login/jwt-session"
}
5. We tried to call /login/jwt-session API end-points with this token and web integration id.
Request example:
curl --request POST \
--url 'https://ipivg15a4pg4614.us.qlikcloud.com/login/jwt- session?qlik-web-integration- id=4X19wW0KeJFDF_ cSY...' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtleWlkIjoiNzM4MWVhMzIt YTYyYi00MzE1LWE1NTAtNDE5NTA0Nj kwMDhlIiwiaXNzdWVyIjoiaXBpdmcx NWE0cGc0NjE0LnVzLnFsaWtjbG91ZC 5jb20iLCJleHBpcmVzSW4iOiI2aCIs ImFsZ29yaXRobSI6IlJTMjU2IiwiYX VkaWVuY2UiOiJxbGlrLmFwaS9sb2dp bi9qd3Qtc2Vzc2lvbiJ9. eyJzdWIiOiJBYlZVbXktcW01MktZbl czTExVTVZqOFhMOWJfd19YdyIsInN1 YlR5cGUiOiJ1c2VyIiwibmFtZSI6Ik FudG9uIEFraHJhbW92aWNoIiwiZW1h aWwiOiJhbnRvbi5ha2hyYW1vdmljaE BsZXZlcnguY29tIiwiZW1haWxfdmVy aWZpZWQiOnRydWUsImdyb3VwcyI6Wy JBbmFseXRpY3MgQWRtaW4iLCJEYXRh IEFkbWluIiwiRGF0YSBTcGFjZSBDcm VhdG9yIiwiRGV2ZWxvcGVyIiwiTWFu YWdlZCBTcGFjZSBDcmVhdG9yIiwiU2 hhcmVkIFNwYWNlIENyZWF0b3IiLCJU ZW5hbnQgQWRtaW4iXX0.A_ s2kfGijAkigtZ24hNpEj1npN5mtNVY sD36k08Xl3lDAhUXL-cwbVc-w9i_ ito8JU0S4GTnb- I6mCUtibgT35LOfu7jIyguzuT- EQIuRsAlxd76Wnv9f4c9VQXhko- RPjXXT8RRENTVPwkkik1XyR57cmDtg cXq4bTIO2qp-- nN1Vqczw8GPn8Z8YVqWlxnoPeOCUH8 VpeqCm- zVt32YJOiQptSFg9dukuy18qfjtdu6 voriepM0Y6TWfyYt8cgIEGXQ5ydNNA 14lVzyCQNL1gzx9Y_7FhjRcCIlX4_ cGpjhQbEa7GfkqL46SHhTZyXDVFHiN PJ3ZR- Zq6cIRjR5vVPfmsYY87HArZCRc_ aE5PvQ7MM3zNLLW9wrzn- u52YQIR2uvwWEXW96NM8H_ aPggI3yAK2oMXkEerZ1QMkd- nOKYgfdMql3wRSirEJCGmvIIX8sQKp FnERM7JzkGXH1pcTcbHFoAbldeC4Eb TgFeK2pTxHGXN2TH1DFqZfFvPg7wnH pfJs83yZYL3w4AWwxFvZ- OF3yHr8BxZLHjTK2Mu7nSYTamR93Qt ZmZqrp5rszjNK_ RmjgOfJdCNQlk53UJcRRhDnE8OkKLW qUXiWNDWcxP_ mZGvexPI51PKpM5z1V4w5J- Wd7ETc0hguy3Cp-Q6GUvMOcTJa2- VSYvQjzsI' \
--header 'content-type: application/json' \
--header 'qlik-web-integration-id: 4X19wW0KeJFDF_cSYIsDLoeUPN98kuqG'
Response
{
"errors": [
{
"title": "Authentication failed",
"detail": "No identity-provider is able to complete the exchange",
"code": "LOGIN-1",
"status": "401"
}
],
"traceId": "0000000000000000575fdaa5ce50c8 6f"
}
I also attached the python script that is used to generate the JWT token
It will be great if you can support us to find out what we are doing wrong.
1 Solution
Accepted Solutions
Hello @akhramovich
It looks your token has the wrong format, some parameters that should be in the payload are in the header, which is incorrect, please see how my token looks below:
Also some parameters have the wrong name (it should be "aud", "iss","exp" instead of "audience","issuer","expiresIn")
Not sure which programming language/library you have used to generate the token, usually node.js would convert those names to the correct parameter names.
I also tried to do the same by manually generating the JWT token at jwt.io. Here are the parameters that I used:
But I still get the same error message ("No identity-provider is able to complete the exchange")
Hello @akhramovich
It looks your token has the wrong format, some parameters that should be in the payload are in the header, which is incorrect, please see how my token looks below:
Also some parameters have the wrong name (it should be "aud", "iss","exp" instead of "audience","issuer","expiresIn")
Not sure which programming language/library you have used to generate the token, usually node.js would convert those names to the correct parameter names.
Hello @Damien_V ,
Tried to do the same but getting same error. No clue what is going wrong. See attached.
request
-------
https://company.eu.qlikcloud.com/login/jwt-session?qlik-web-integration-id=y8GEs6kcxVdVC9I3I0Aimq4FZ...
Header
------
Authorization Bearer generated_token
Result
------
{"errors":[{"title":"Unauthorized","code":"AUTH-1","status":"401"}],"traceId":"0000000000000000d2fbc7fc488769df"}
Regards,
Raza
