Solved: Re: Unable to authorize using generated JWT token - Qlik Community

akhramovich · ‎2021-12-04

Hello

We are trying to use the JWT token to authorize users in our tenant. Unfortunately, we are constantly getting a "No identity-provider is able to complete the exchange" error message.

What we did:

1. We created a JWT Identity provider

2. We configured Content Security Policy

3. We added Web integration

4. We generated a JWT token for the previously created user

Payload

payload =

{
    'sub': 'AbVUmy-qm52KYnW3LLUMVj8XL9b_w_Xw',
    'subType': 'user',
    'name': 'Anton Akhramovich',
    'email': 'anton.akhramovich@leverx.com',
    'email_verified': True,
    'iat': datetime.now(tz=timezone.utc),
    'exp': datetime.now(tz=timezone.utc) + timedelta(hours=6),
    'iss': 'ipivg15a4pg4614.us.qlikcloud.com',
    'aud': 'qlik.api/login/jwt-session',
    'groups': ["Analytics Admin", "Data Admin", "Data Space Creator", "Developer", "Managed Space Creator",
               "Shared Space Creator", "Tenant Admin"],
}

Signing option

options = {
   "keyid": "a9e1e157-b9a1-40da-8926-d2d022ab25eb",
   "issuer": "ipivg15a4pg4614.us.qlikcloud.com",
   "expiresIn": "6h",
    "algorithm": "RS256",
   "audience": "qlik.api/login/jwt-session"
}

5. We tried to call /login/jwt-session API end-points with this token and web integration id.

Request example:

curl --request POST \
--url 'https://ipivg15a4pg4614.us.qlikcloud.com/login/jwt-session?qlik-web-integration-id=4X19wW0KeJFDF_cSY...' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtleWlkIjoiNzM4MWVhMzItYTYyYi00MzE1LWE1NTAtNDE5NTA0NjkwMDhlIiwiaXNzdWVyIjoiaXBpdmcxNWE0cGc0NjE0LnVzLnFsaWtjbG91ZC5jb20iLCJleHBpcmVzSW4iOiI2aCIsImFsZ29yaXRobSI6IlJTMjU2IiwiYXVkaWVuY2UiOiJxbGlrLmFwaS9sb2dpbi9qd3Qtc2Vzc2lvbiJ9.eyJzdWIiOiJBYlZVbXktcW01MktZblczTExVTVZqOFhMOWJfd19YdyIsInN1YlR5cGUiOiJ1c2VyIiwibmFtZSI6IkFudG9uIEFraHJhbW92aWNoIiwiZW1haWwiOiJhbnRvbi5ha2hyYW1vdmljaEBsZXZlcnguY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImdyb3VwcyI6WyJBbmFseXRpY3MgQWRtaW4iLCJEYXRhIEFkbWluIiwiRGF0YSBTcGFjZSBDcmVhdG9yIiwiRGV2ZWxvcGVyIiwiTWFuYWdlZCBTcGFjZSBDcmVhdG9yIiwiU2hhcmVkIFNwYWNlIENyZWF0b3IiLCJUZW5hbnQgQWRtaW4iXX0.A_s2kfGijAkigtZ24hNpEj1npN5mtNVYsD36k08Xl3lDAhUXL-cwbVc-w9i_ito8JU0S4GTnb-I6mCUtibgT35LOfu7jIyguzuT-EQIuRsAlxd76Wnv9f4c9VQXhko-RPjXXT8RRENTVPwkkik1XyR57cmDtgcXq4bTIO2qp--nN1Vqczw8GPn8Z8YVqWlxnoPeOCUH8VpeqCm-zVt32YJOiQptSFg9dukuy18qfjtdu6voriepM0Y6TWfyYt8cgIEGXQ5ydNNA14lVzyCQNL1gzx9Y_7FhjRcCIlX4_cGpjhQbEa7GfkqL46SHhTZyXDVFHiNPJ3ZR-Zq6cIRjR5vVPfmsYY87HArZCRc_aE5PvQ7MM3zNLLW9wrzn-u52YQIR2uvwWEXW96NM8H_aPggI3yAK2oMXkEerZ1QMkd-nOKYgfdMql3wRSirEJCGmvIIX8sQKpFnERM7JzkGXH1pcTcbHFoAbldeC4EbTgFeK2pTxHGXN2TH1DFqZfFvPg7wnHpfJs83yZYL3w4AWwxFvZ-OF3yHr8BxZLHjTK2Mu7nSYTamR93QtZmZqrp5rszjNK_RmjgOfJdCNQlk53UJcRRhDnE8OkKLWqUXiWNDWcxP_mZGvexPI51PKpM5z1V4w5J-Wd7ETc0hguy3Cp-Q6GUvMOcTJa2-VSYvQjzsI' \
--header 'content-type: application/json' \
--header 'qlik-web-integration-id: 4X19wW0KeJFDF_cSYIsDLoeUPN98kuqG'

Response

{
"errors": [
{
"title": "Authentication failed",
"detail": "No identity-provider is able to complete the exchange",
"code": "LOGIN-1",
"status": "401"
}
],
"traceId": "0000000000000000575fdaa5ce50c86f"

}

I also attached the python script that is used to generate the JWT token

It will be great if you can support us to find out what we are doing wrong.

Damien_Villaret · ‎2021-12-10

Hello @akhramovich

It looks your token has the wrong format, some parameters that should be in the payload are in the header, which is incorrect, please see how my token looks below:

Also some parameters have the wrong name (it should be "aud", "iss","exp" instead of "audience","issuer","expiresIn")

Not sure which programming language/library you have used to generate the token, usually node.js would convert those names to the correct parameter names.

If the issue is solved please mark the answer with Accept as Solution.

View solution in original post

akhramovich · ‎2021-12-07

I also tried to do the same by manually generating the JWT token at jwt.io. Here are the parameters that I used:

But I still get the same error message ("No identity-provider is able to complete the exchange")

Damien_Villaret · ‎2021-12-10

Hello @akhramovich

It looks your token has the wrong format, some parameters that should be in the payload are in the header, which is incorrect, please see how my token looks below:

Also some parameters have the wrong name (it should be "aud", "iss","exp" instead of "audience","issuer","expiresIn")

Not sure which programming language/library you have used to generate the token, usually node.js would convert those names to the correct parameter names.

If the issue is solved please mark the answer with Accept as Solution.

muhammadraza · ‎2022-02-07

Hello @Damien_Villaret ,

Tried to do the same but getting same error. No clue what is going wrong. See attached.

request
-------
https://company.eu.qlikcloud.com/login/jwt-session?qlik-web-integration-id=y8GEs6kcxVdVC9I3I0Aimq4FZ...

Header
------
Authorization Bearer generated_token

Result
------
{"errors":[{"title":"Unauthorized","code":"AUTH-1","status":"401"}],"traceId":"0000000000000000d2fbc7fc488769df"}

jwt.io token generation

Regards,

Raza

muhammadraza · ‎2022-02-07

I got it. The problem was in the iss. It is not the tenant URL but the issuer FQDN of the certificate.