Hi and welcome to Qlik Fix! This video will cover how to enable and test JSON Web Token (JWT) authentication on Qlik Sense. The first step is to create a new Virtual Proxy which serves as the authentication component in Qlik Sense. The Virtual Proxy needs a unique Name, Prefix, Session cookie header name, an Engine server to use, and to be linked to one of the available Proxy servers. Under Authentication, pick JWT - commonly read as Jot - for Authentication method. For the JWT Certificate we will use the Qlik Sense self-signed server certificate in PEM format. It can be found under this location. Keep in mind that any certificate for which the Private Key is used to generate the JSON Web Token (JWT), can be used here. The server certificate private key is also found here and will be used to generate the token. Next, open the PEM formatted server certificate with a text editor and paste the content in the Virtual Proxy configuration. We also need to configure JWT attribute for user ID and for user directory which will need to match the ones we configure when generating the token. Save the settings and now for generating the token we can leverage the commonly used site jwt.io, as an example. We will select the algorithm RS256, then add the userID and userDirectory attributes previously configured in the Virtual Proxy. Make sure to set the values for these attributes to an intended licensed user that will be authorized access, then open the PEM formatted private key file and copy the content to the appropriate field on the website. Notice how the JWT is generated when the Private Key in PEM format is added. To validate the signature, we can add the PEM formatted server certificate in the appropriate field. This confirms that the server cert configured in the Virtual Proxy should be able to validate the JWT signature as long as it is not an encrypted token and the algorithm used is either RS256, RS384, or RS512. Now for testing we need to use the token when accessing the Hub or QMC. In this example we will use Fiddler Classic version as it is a widely used tool. It will allow us to inject the needed Security header and then inspect the request Headers. First, ensure HTTPS decryption is enabled. Then configure the Authorization header under the Filters tab as seen here. The JWT token is pasted after the word Bearer as shown here. Start the Capture, and now when accessing the QMC or Hub using the configured Vitual Proxy prefix in the URL, the licensed user referenced in the token should be allowed access. We can see in the Inspection tab where the header was injected and sent to the Qlik Sense server with the token. Under the Auth tab the JWT as content of the Authorization Header should be displayed. The same can be performed with the Fiddler Everywhere version after enabling HTTPS traffic decryption and adding the authorization header in a similar fashion. Another and perhaps simpler alternative for testing is to use a Google Chrome extension such as Modheader which also injects the authorization header. If you’d like more information, Take advantage of the expertise of peers, product experts, and technical support engineers by asking a question in a Qlik Product Forum on Qlik Community. Or search for answers using the new SearchUnify tool. It searches across our Knowledge Base, Qlik Help, Qlik Community, Qlik YouTube channels and more, all from one place. Also check out the Support Programs space. Here you can learn directly from Qlik experts via a Support webinar, like Techspert Thursdays. And don’t forget to subscribe to the Support Updates Blog. Thanks for watching. Nailed it!
Attached is a downloadable .mp4 video file for those who cannot view YouTube videos.