Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE

Qlik Sense SaaS: Authentication fails with error "JWT not active yet, now 1633528469, nbf 1633528479"

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Damien_Villaret
Support
Support

Qlik Sense SaaS: Authentication fails with error "JWT not active yet, now 1633528469, nbf 1633528479"

Last Update:

May 10, 2022 1:43:00 PM

Updated By:

Jamie_Gregory

Created date:

Oct 13, 2021 2:46:55 AM

Authentication or Identity Provider validation fails with error "JWT not active yet, now 1633528469, nbf 1633528479".

Environments:

Qlik Cloud 

 

Resolution:

This is due to a time difference between the identity provider server and Qlik Sense SaaS servers. By default, Qlik Sense only allows a time difference of 5 seconds, if the difference is higher than it will fail.

The best solution is to adjust the time on the Identity Provider server.

 

However there is also a way to adjust the time tolerance using Qlik Sense REST APIs

https://qlik.dev/apis/rest/identity-providers#%23%2Fdefinitions%2FPatchOIDCPayload

 

In the below script "eyJhbGciOiJFUzM4...wxXeVdjA-Q9R1DB6GdO" corresponds to the API key

https://qlik.dev/tutorials/generate-your-first-api-key 

 

1. First of all we need to get the identity provider id using the following API:

$hdrs = @{}
$hdrs.Add("Authorization","Bearer eyJhbGciOiJFUzM4...wxXeVdjA-Q9R1DB6GdO")
$url = "https://test.ap.qlikcloud.com/api/v1/identity-providers"
$resp= Invoke-RestMethod -Uri $url -Method Get -Headers $hdrs
echo $resp.data

 

The response should look like this, search for the Identity Provider you want to change the setting for:

id                : 6044db91fa9a1fbe9620621a
tenantIds         : {qRR15NaHtUsuLaNQllaOjOG0k0p9q1QR}
provider          : azureAD
protocol          : OIDC
interactive       : True
active            : False
options           : @{discoveryUrl=https://login.microsoftonline.com/c21..a497c/v2.0/.well-known/openid-configuration; clientId=0be9...0227; realm=DOMAIN; claimsMapping=; emailVer
                    ifiedAlwaysTrue=True; scope=openid profile email; useClaimsFromIdToken=True}
pendingState      : verified
pendingResult     : @{status=success; idpClaims=; resultantClaims=}
created           : 2021-03-07T13:56:33.036Z
lastUpdated       : 2021-09-03T14:34:57.763Z
clockToleranceSec : 5

id                : 610257f806962a5464be9b72
tenantIds         : {qRR15NaHtUsuLaNQllaOjOG0k0p9q1QR}
provider          : qlik
protocol          : qsefw-local-bearer-token
interactive       : False
active            : True
options           : @{issuer=https://qlik.b5f599a1-a0d1-46d0-970b-ad25ebf021bf; staticKeys=System.Object[]}
created           : 2021-07-29T07:25:44.248Z
lastUpdated       : 2021-07-29T07:25:44.248Z
description       : test1
clockToleranceSec : 5

 

2. Using the id for the Identity Provider obtained in the previous request, we can now change the time tolerance with the following API call:

$body='[{"op":"replace","path":"/clockToleranceSec","value":20}]'

$hdrs = @{}
$hdrs.Add("Authorization","Bearer eyJhbGciOiJFUzM4...wxXeVdjA-Q9R1DB6GdO")
$hdrs.Add("content-type","application/json")
$url = "https://test.ap.qlikcloud.com/api/v1/identity-providers/6044db91fa9a1fbe9620621a"
$resp= Invoke-RestMethod -Uri $url -Method Patch -Headers $hdrs -Body $body

 

Done.

This is also possible to check if this got properly reflected using the API call in step 1.

Qlik Cloud
Thumbnail of Qlik Cloud
Qlik Cloud
Labels (2)
Labels:
728 Views
Was this article helpful? Yes No
Version history
Last update:
‎2022-05-10 01:43 PM
Updated by:
Community Manager