Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Qlik Sense OIDC: How to check user information from the userinfo endpoint manually

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Damien_Villaret
Support
Support

Qlik Sense OIDC: How to check user information from the userinfo endpoint manually

Last Update:

May 10, 2022 1:34:28 PM

Updated By:

Jamie_Gregory

Created date:

Feb 4, 2022 5:28:44 AM

This article explains how to request an access token manually from your Identity provider token endpoint and verify user information from the /userinfo endpoint.

Environments:


Qlik Cloud (Except for "ADFS" and "Azure" Identity provider types - see here instead)

 

First of all, for testing purposes, add the URL "https://test/login/callback" used in this script in your Identity Provider (IdP) allowed redirect URIs. The reason we are doing this is because we want to request the token manually to check the userinfo endpoint content and not have it getting automatically processed by Qlik Sense.

  1. Run the below PowerShell script to get your authorization URL. Variables authorization_endpoint, client_id, and scope need to be updated to match your IdP, those information can be found from the /.well-known/openid-configuration endpoint.
    $authorization_endpoint = 'https://dev-4786010.okta.com/oauth2/v1/authorize'
$client_id = '3fgfdd23thuymwsiEANFd7'
$redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/login/callback")
$scope = 'openid%20profile%20email'
$code_challenge="7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8"

#Paste this URL in your browser to get back the authorization code
$authorization_endpoint+'?response_type=code&client_id='+$client_id+'&redirect_uri='+$redirect_uri+'&state=xyzABC123&nonce=3O2bsVV99-kjikCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope='+$scope+'&code_challenge_method=S256&code_challenge='+$code_challenge
  2. Paste the URL output from the script in your browser and log in to your Identity provider, the URL should look like this:
    https://dev-4786010.okta.com/oauth2/v1/authorize?response_type=code&client_id=3fgfdd23thuymwsiEANFd7&redirect_uri=https%3A%2F%2Ftest%2Flogin%2Fcallback&state=xyzABC123&nonce=3O2bsVV99-
kjikCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope=openid%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8

    After the authentication is completed, you will be redirected to https://test/login/callback with an authorization code in the URL, copy the authorization code that we will use in the next step.

    Copy the value between code= and the next & sign. (The length of the authorization code may vary depending on the IdP)

    Damien_Villaret_0-1633594363132.png

  3.  Request the access token from the token_endpoint URL (also found from the /.well-known/openid-configuration endpoint)
    $client_id = '3fgfdd23thuymwsiEANFd7'
$redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/login/callback")
$client_secret = '4Z45jlfsjf12l3231ljfsflsjfsdlriueiot3ucxh'
$token_endpoint = 'https://dev-4786010.okta.com/oauth2/v1/token'
$code_verifier="_fqY.Xg5srawq24h9_A57tjY-ycqX0PzzIcM7VcwLZRou_Mvqn-_tCTz4ICWcXoCTO8NXlm3b9RfGOjSZEH68a_gWgaLByddN5y52M06~Z8XlO3XMgOJRWK0DefsxcmC"

#Put your authorization code here
$auth_code = 'mq5iHdLyBSZkpFubWJC2v3hVptrYT2j9VeQ6QpgED_s'
$pair = "$($client_id):$($client_secret)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$hdrs = @{}
$hdrs.Add("Authorization",$basicAuthValue)
$body = 'code='+$auth_code+'&grant_type=authorization_code&redirect_uri='+$redirect_uri+'&code_verifier='+$code_verifier

$response = Invoke-WebRequest -Uri $token_endpoint -Method Post -Body $body -Headers $hdrs -ContentType 'application/x-www-form-urlencoded'
echo $response.Content​ > C:\temp\okta-accesstoken.txt
  4. Copy the value in "access_token" from the request response in order to use it for the next request.
  5. Request the user information from the userinfo_endpoint (also found from the /.well-known/openid-configuration endpoint) using the access token:
    #Fill in userinfo endpoint URL here
$userinfo_endpoint = 'https://dev-4786010.okta.com/oauth2/v1/userinfo'

#Fill in your access token here
$accesstoken = "Bearer eyJraWQiOiJoVUIzX1N0WUMtdkh..._oOtPSAHF7qSPITfjd3l9V6JykndcxPlmPg"

$hdrs = @{}
$hdrs.Add("Authorization",$accesstoken)

$response = Invoke-WebRequest -Uri $userinfo_endpoint -Method Get -Headers $hdrs
echo $response.Content​


    You can confirm if the expected claims are included in the user info endpoint or not.
Qlik Cloud
Thumbnail of Qlik Cloud
Qlik Cloud
Labels (1)
Labels:
1,457 Views
Was this article helpful? Yes No
Version history
Last update:
‎2022-05-10 01:34 PM
Updated by:
Community Manager