Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!

Qlik Cloud: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Damien_V
Support
Support

Qlik Cloud: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app

Last Update:

Jun 3, 2022 6:20:33 AM

Updated By:

Sonja_Bauernfeind

Created date:

Nov 29, 2021 8:30:23 AM

The following error shows up when trying to log in to Qlik Cloud:

{"errors":[{"title":"Authentication failed. Error received from identity provider","code":"LOGIN-3","status":"401","meta":{"error":"invalid_client","errorDescription":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentialsTrace ID: b89a04dc-0194-4b25-8f7c-637b154d3a01Correlation ID: dc36f88e-cdb6-4a07-8cfb-fab698c44c14Timestamp: 2021-11-29 10:05:12Z"}}],"traceId":"000000000000000038d7a79b3417f205"}

 

 

Resolution

 

This is because the secret in Azure has expired. Please follow the below steps:

  1. Log in to the Azure portal, go to "App registrations", select the app you have created before to perform authentication against Qlik Cloud, "Certificates & Secrets" "Generate new secret" then copy this new secret.
  2. Log in to Qlik Sense SaaS using the recovery link https://yourtenant.eu.qlikcloud.com/login/recover, log in with the Service Account Owner (SAO)'s Qlik ID account. Go to the console > Identity Provider, edit the Azure identity provider and input your new secret and save. Validate the configuration.

 

Related Content:

Qlik Cloud user forgets to copy Recovery Link 
Qlik Cloud: Unable to access the recovery link  

Labels (1)
Comments
_Anders_
Partner - Contributor
Partner - Contributor

Is there a way to rotate this key by automations or some other means? Or du you manually need to create a new key in azure every time? 

AlexOmetis
Partner Ambassador
Partner Ambassador

I've often wondered the same... but if Qlik Cloud was given permission to rotate keys in Azure, wouldn't it  compromise the security of the key issuance process? I'd be interested to see some opinions on this and experience of ways this is handled with other systems.

It'd be good if Qlik could at least spot when the key is due to expire, but I'm not sure this is passed in any of the responses it processes from Azure. If that is possible, showing a warning for the month leading up to expiry to any admins would be a big step forward!

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @_Anders_ and @AlexOmetis This is great feedback!

I'd like to invite you to post this as an idea in our ideas section so we can highlight it to our product teams. 

Feel free to ping me the link afterwards, as I'd like to give this one a vote.

All the best,
Sonja 

Alastair_Ometis
Partner - Contributor III
Partner - Contributor III

@_Anders_  As I understand it, it is best practice to build something that will alert to secret expiry (Microsoft have 3 different examples on how to do this Azure App registration Client secret expiration - Microsoft Q&A).

This is the most practical solution as there will likely be multiple applications which require secrets configured in Azure to integrate with Microsfot Entra as the IdP.

Building a bespoke solution for each application would likely be a huge overhead.

That being said. If you were to build something on the Azure side to check for and reissue a secret as needed, Application Automations could be used to retrieve the secret and update the idp configuration with it, this automation could also be trigger by a webhook for an even more tightly integrated solution.

All of these things are possible but considering it takes a human only a few minutes to complete the entire process from generating the key in Azure to updating the configuration in Qlik Cloud, and that this is only likely to be needed every 6 months, it does feel a little like an invention by Heath Robinson. 

@AlexOmetis  As I understand it Qlik Cloud has no awareness of the expiry of the secret, it is after all a random string and not a JWT, I don't believe there is anything in the token about this either so aside from providing a box to capture the expiry date as part of the config, explicitly to allow for alerting, there is not much they can do.

 

 

 

 

 

 

Version history
Last update:
‎2022-06-03 06:20 AM
Updated by: