Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
May 10, 2022 1:43:00 PM
Oct 13, 2021 2:46:55 AM
Authentication or Identity Provider validation fails with error "JWT not active yet, now 1633528469, nbf 1633528479".
Environments:
This is due to a time difference between the identity provider server and Qlik Sense SaaS servers. By default, Qlik Sense only allows a time difference of 5 seconds, if the difference is higher than it will fail.
The best solution is to adjust the time on the Identity Provider server.
However there is also a way to adjust the time tolerance using Qlik Sense REST APIs
https://qlik.dev/apis/rest/identity-providers#%23%2Fdefinitions%2FPatchOIDCPayload
In the below script "eyJhbGciOiJFUzM4...wxXeVdjA-Q9R1DB6GdO" corresponds to the API key
https://qlik.dev/tutorials/generate-your-first-api-key
1. First of all we need to get the identity provider id using the following API:
$hdrs = @{}
$hdrs.Add("Authorization","Bearer eyJhbGciOiJFUzM4...wxXeVdjA-Q9R1DB6GdO")
$url = "https://test.ap.qlikcloud.com/api/v1/identity-providers"
$resp= Invoke-RestMethod -Uri $url -Method Get -Headers $hdrs
echo $resp.data
The response should look like this, search for the Identity Provider you want to change the setting for:
id : 6044db91fa9a1fbe9620621a
tenantIds : {qRR15NaHtUsuLaNQllaOjOG0k0p9q1QR}
provider : azureAD
protocol : OIDC
interactive : True
active : False
options : @{discoveryUrl=https://login.microsoftonline.com/c21..a497c/v2.0/.well-known/openid-configuration; clientId=0be9...0227; realm=DOMAIN; claimsMapping=; emailVer
ifiedAlwaysTrue=True; scope=openid profile email; useClaimsFromIdToken=True}
pendingState : verified
pendingResult : @{status=success; idpClaims=; resultantClaims=}
created : 2021-03-07T13:56:33.036Z
lastUpdated : 2021-09-03T14:34:57.763Z
clockToleranceSec : 5
id : 610257f806962a5464be9b72
tenantIds : {qRR15NaHtUsuLaNQllaOjOG0k0p9q1QR}
provider : qlik
protocol : qsefw-local-bearer-token
interactive : False
active : True
options : @{issuer=https://qlik.b5f599a1-a0d1-46d0-970b-ad25ebf021bf; staticKeys=System.Object[]}
created : 2021-07-29T07:25:44.248Z
lastUpdated : 2021-07-29T07:25:44.248Z
description : test1
clockToleranceSec : 5
2. Using the id for the Identity Provider obtained in the previous request, we can now change the time tolerance with the following API call:
$body='[{"op":"replace","path":"/clockToleranceSec","value":20}]'
$hdrs = @{}
$hdrs.Add("Authorization","Bearer eyJhbGciOiJFUzM4...wxXeVdjA-Q9R1DB6GdO")
$hdrs.Add("content-type","application/json")
$url = "https://test.ap.qlikcloud.com/api/v1/identity-providers/6044db91fa9a1fbe9620621a"
$resp= Invoke-RestMethod -Uri $url -Method Patch -Headers $hdrs -Body $body
Done.
This is also possible to check if this got properly reflected using the API call in step 1.