Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
This article explains how to request a token manually from your Identity provider token endpoint and verify if the required attributes are included in the id_token.
Qlik Sense Enterprise for Windows reads the attributes from the id_token and is not using the /userinfo endpoint to fetch them.
Qlik Sense Enterprise on Windows May 2021 and higher
Qlik Cloud (For "ADFS" and "Azure" Identity provider types only)
First of all, for testing purposes, add the URL "https://test/login/callback" used in this script in your Identity Provider (IdP) allowed redirect URIs. The reason we are doing this is because we want to request the token manually to check its content and not have it getting automatically processed by Qlik Sense.
$authorization_endpoint = 'https://dc1.domain.local/adfs/oauth2/authorize'
$client_id = '592a5672-a360-49da-93a4-20654f42d3c2'
$redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/login/callback")
#For ADFS, use 'openid%20allatclaims%20profile%20email' for the scope
$scope = 'openid%20profile%20email'
$code_challenge="7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8"
#Paste this URL in your browser to get back the authorization code
$authorization_endpoint+'?response_type=code&client_id='+$client_id+'&redirect_uri='+$redirect_uri+'&state=xyzABC123&nonce=3O2bsVV99-kjikCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope='+$scope+'&code_challenge_method=S256&code_challenge='+$code_challenge
https://dc1.domain.local/adfs/oauth2/authorize?response_type=code&client_id=592a5672-a360-49da-93a4-20654f42d3c2&redirect_uri=https%3a%
2f%2ftest%2flogin%2fcallback&state=xyzABC123
&scope=openid%20allatclaims%20profile%20email
$client_id = '592a5672-a360-49da-93a4-20654f42d3c2'
$redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/login/callback")
$client_secret = 'Ssxx92jvm6RE_Plf1NnKgduZujE99nd0vWuujE_L'
$token_endpoint = 'https://dc1.domain.local/adfs/oauth2/token'
$code_verifier="_fqY.Xg5srawq24h9_A57tjY-ycqX0PzzIcM7VcwLZRou_Mvqn-_tCTz4ICWcXoCTO8NXlm3b9RfGOjSZEH68a_gWgaLByddN5y52M06~Z8XlO3XMgOJRWK0DefsxcmC"
#Put your authorization code here
$auth_code = 'mSzqI71WMUGuYcxSTciAcw.kZdiCG6J2QgNAPRcEZ9A51OMW6g.TMrNMhHPBiG3aNbh_4lbUakFzWoU_MFcDQZcL6_wBIaDd_1_DMWz9OZUSvRcE_zR115HwNXdZYUTjHB6mcnK3u5R2EDxsVKthwQwbP184ujVK1c8LmI-QOMb4jEGRTAm49nbtM8MfO4pTO1fICMSU7CLuhVb8KcCefjPOQ5W0JMKLl7XElvhJDLg5n6v1V2m8L2ZaCQVDy6oTiZygIr20j3TpQnpu2Zwk1KzbttOTGqeJgzCoyPJJJcRjnOrD1zPmBEENrz8fuZwdihRIPZufzhj0gEJ18-stWBz7polztBH7y_jKn-mK6WgIqlLSG2AlmcQa9kBANLmfbal7OUFtA'
$pair = "$($client_id):$($client_secret)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$hdrs = @{}
$hdrs.Add("Authorization",$basicAuthValue)
$body = 'code='+$auth_code+'&grant_type=authorization_code&redirect_uri='+$redirect_uri+'&code_verifier='+$code_verifier
$response = Invoke-WebRequest -Uri $token_endpoint -Method Post -Body $body -Headers $hdrs -ContentType 'application/x-www-form-urlencoded'
echo $response.Content
Hi @Damien_V
Can you please clarify the importance of this parameter and where we can take this from?
$code_challenge
Because I am having issues like below
Hello @rockabs
The error message relates to redirect_uri. Did you change this line in the script to anything else? You don't need to change the line, but you should add https://test/login/callback in the list of allowed redirect_uri in your Identity Provider configuration.
$redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/login/callback")
The code_challenge in this article is just a static one that matches base64(SHA256Hash(code_verifier)) value
Good, for Code_challenge. and the script, this is how I have with the same issue
Is the query string you get similar to the one shown in step 2 ?
https://dc1.domain.local/adfs/oauth2/authorize?response_type=code&client_id=592a5672-a360-49da-93a4-20654f42d3c2&redirect_uri=https%3a%
2f%2ftest%2flogin%2fcallback&state=xyzABC123
&scope=openid%20allatclaims%20profile%20email
Which Identity Provider do you use ? and did you add the redirect_uri to the list of allowed redirect_uri in your Identity Provider configuration ?
This is how it is after
https://abc.eu.auth0.com/adfs/oauth2/authorize?response_type=code&client_id=xxx&redirect_uri=&state=xyzABC123&nonce=3O2bsVV99-kji
kCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope=openid%20allatclaims%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8
About adding this https://test/login/callback to be list, I will check internally and get back!
I have added the list to IDP, Still, the issue is there. I have a configuration like below, To know these diagnostics/token attributes I was looking for this solution to apply.
You don't have any redirect_uri in the URL you've sent.
https://abc.eu.auth0.com/adfs/oauth2/authorize?response_type=code&client_id=xxx&redirect_uri=&state=xyzABC123&nonce=3O2bsVV99-kji
kCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope=openid%20allatclaims%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8
There should be "https%3A%2F%2Ftest%2Flogin%2Fcallback" just after &redirect_uri=
https://abc.eu.auth0.com/adfs/oauth2/authorize?response_type=code&client_id=xxx&redirect_uri=https%3A%2F%2Ftest%2Flogin%2Fcallback&state=xyzABC123&nonce=3O2bsVV99-kji
kCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope=openid%20allatclaims%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8
I managed with another way account where that works. Now I am here 🙂
https://abc-icow-test.eu.auth0.com/authorize?response_type=code&client_id=xxx&redirect_uri=https%3A%...
7aXbKMUd0YXBwA3sUk&scope=openid%20allatclaims%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8
It's normal that https://test/login/callback doesnt open, it's just a dummy URL, however you should now have a code in the URL that you can copy and use in step 3 to get the token.
We are close now, I see the URL is like this. and I have taken the bold part to this parameter "$auth_code".
https://test/login/callback?code=vT1neefRlijhMOjIrWdVJkL-E7Nv4xHrRyKuJwvAE6SP7&state=xyzABC123#
Now, I got the error below one?
Unable to find type [System.Web.HTTPUtility]. At C:\Users\ansam3\Documents\Untitled1.ps1:2 char:17 + $redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/log ... + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Web.HTTPUtility:TypeName) [], RuntimeException + FullyQualifiedErrorId : TypeNotFound Invoke-WebRequest : Not found. At C:\Users\ansam3\Documents\Untitled1.ps1:17 char:13 + $response = Invoke-WebRequest -Uri $token_endpoint -Method Post -Body ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand |