Authenticating to Qlik Cloud fails with:
"errors":[{"title":"State verification failed","detail":"State not valid, missing request forgery protection","code":"STATE-1","status":"401"}],"traceId":"XXXXXXX"}
Resolution
This error will show up when the state sent during the authentication request does not match the eas.rfp cookie created at the same time.
This is the basic workflow for the authentication process:
- The user accesses the tenant URL (directly or embedded in an iFrame or mashup), Qlik Sense redirects to the Identity Provider and at the same time instructs the browser to create a cookie in the browser called eas.rfp.XXXX (XXXX is a random string), this cookie will be used to check if the state parameter hasn't been forged when the Identity Provider sends back the user to Qlik Sense.
- User inputs credentials on the Identity Provider page and then gets redirected back the user to Qlik Sense
- Qlik Sense checks the state parameter against the eas.rfp.XXXX cookie saved in the browser to see if it hasn't been forged, if it cannot find the cookie with the value is initially created or if the values do not match, then it will throw the mentioned error.
Therefore, the following need to be checked when getting the error:
- Is the eas.rfp correctly created in the browser? If not, check the browser settings and make sure that cookies are allowed for Qlik Sense. Some browsers will forbid cookies by default when the site is embedded.
- Is the state parameter seen in the URL when getting redirected keeps the same value during the whole authentication process ? Using the Browser devtools with the "Preserve log" on should help you visualize this.
Environments:
Qlik Cloud