oauth token exchange dose not going well

sasaki507 · ‎2023-05-23

I get an access token for oauth using the client secret on the server side and request to exchange it with a websocket access token for use with enigma.js, but I get an authorization error.

Is there something wrong with the program or recognition?

code

  const oauthQlik = new Qlik({
    authType: AuthType.OAuth2,
    host: process.env.TENANT_HOST,
    clientId: process.env.OAUTH_CLIENT_ID,
    clientSecret: [CLIENT_SECRET],
  });
  const authProps = await oauthQlik.auth.authorize();
  console.log(authProps);

  const res = await (
    await oauthQlik.rest('/oauth/token', {
      method: 'POST',
      body: JSON.stringify({
        subject_token: authProps.access_token,
        subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
        grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
        purpose: 'websocket',
        client_id: process.env.OAUTH_CLIENT_ID,
      }),
    })
  ).json();
  console.log(res);

  return res.access_token;

error

{
    "errorType": "AuthorizationError",
    "errorMessage": "Failed to authorize using OAuth",
    "error": "Failed to authorize using OAuth",
    "statusText": "Unauthorized",
    "status": 401,
    "errors": [
        {
            "title": "Unauthorized",
            "detail": "Cannot perform exchange with given Oauth configuration.",
            "code": "OAUTH-5",
            "status": "401"
        }
    ],
    "traceId": "00000000000000007b3eae16dc8dd270",
    "name": "AuthorizationError",
    "stack": [
        "AuthorizationError: Failed to authorize using OAuth",
        "    at Qlik.RestClient.restClientInstance [as rest] (/var/task/node_modules/@qlik/sdk/dist/cjs/auth/restClient.js:137:17)",
        "    at processTicksAndRejections (internal/process/task_queues.js:95:5)",
        "    at async module.exports (/var/task/resolvers/query/getQlikAuthToken/index.js:26:5)",
        "    at async Runtime.exports.handler (/var/task/index.js:32:14)"
    ]
}

nodejs16 (AWS Lambda)
"@qlik/sdk": "^0.21.1"
"node-fetch": "^2.6.11"

alex_colombo · ‎2023-05-24

Hi @sasaki507 could you please try with this approach? It leverages qlik/sdk auth methods for creating websocket url and use it with enigma.js.

sasaki507 · ‎2023-05-24

Hi @alex_colombo ,

Thanks for the reply. We are building a front-end app in SPA and we don't want to go through the Qlik authentication flow to users logged into our app, so we want to request oauth-token-exchange on the server side to get only the access token.

Is this not possible with oauth's api?

alex_colombo · ‎2023-05-25

So, you want to use a backend service for get access token from Qlik cloud and then use it into your SPA for embedding Qlik visualizations? If so, you should be in this situation right?
About your code, you can use Qlik/sdk or REST APIs. Use both does not make sense for me. If you want to have the access token use REST APis. Here the example on how to use it

Jeffrey_Goldberg · ‎2023-05-25

hi @sasaki507 , I think what you're looking for is not to do an SPA, but a Web PKCE flow that can auth a user without having them authenticate to Qlik Cloud. This is something we're investigating. It involves enabling a backend OAuth client (the web application) to request tokens on behalf of users that it can pass to the front-end. One of the challenges with this approach is that the user must exist as a user on Qlik Cloud. At some point, at least once, the user has to authenticate to Qlik Cloud. There are other patterns we're looking at to support proxying requests on the backend but it's still early days. I'm interested in reading more about your use case as it can help inform our approach.

sasaki507 · ‎2023-05-25

Yes, I want to get an access token on the server side and use it to connect a websocket session with enigma.js on the front end to embed the visualization.
Looking at the code in the sdk, in the `generateWebsocketUrl` function, after authentication, the exchange to the access token as `purpose: 'websocket'` and passing the access token in the websocket url parameter.
I tried exchanging tokens in the same way, but an error occurred, so I posted the question.

sasaki507 · ‎2023-05-25

Hi @Jeffrey_Goldberg ,

Thanks for the reply.

Our use cases are as follows
We have a SPA web application and we want to share an embedded dashboard within that app without creating a Qlik account for our customers.
We were looking for a way to do that and found a way to pass an access token as a parameter to the websocket url in the qlik/sdk code. I was trying to do the same thing but was getting errors so I thought I was doing something wrong and posted the question.

API

SaaS