Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Qlik Fix: How to Enable and Test JWT Authentication on Qlik Sense

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Andre_Sostizzo
Digital Support
Digital Support

Qlik Fix: How to Enable and Test JWT Authentication on Qlik Sense

Last Update:

Jan 29, 2021 10:15:56 AM

Updated By:

Andre_Sostizzo

Created date:

Jan 29, 2021 10:15:56 AM

Attachments

Hammer Up 1000x340.png

This video is part of the Qlik Fix Video series. If you found this video useful, check out the other Qlik Fix Videos

This video will cover how to enable and test JSON Web Token (JWT) authentication on Qlik Sense.

Here is a link to more information in the Support Knowledge Base:

Qlik Sense: How to set up JWT authentication 

Video Transcript:

Hi and welcome to Qlik Fix!
This video will cover how to enable and test JSON Web Token (JWT) authentication on Qlik Sense.
The first step is to create a new Virtual Proxy which serves as the authentication component in Qlik Sense.
The Virtual Proxy needs a unique Name, Prefix, Session cookie header name, an Engine server to use, and to be linked to one of the available Proxy servers.
Under Authentication, pick JWT - commonly read as Jot - for Authentication method.
For the JWT Certificate we will use the Qlik Sense self-signed server certificate in PEM format. It can be found under this location.
Keep in mind that any certificate for which the Private Key is used to generate the JSON Web Token (JWT), can be used here.
The server certificate private key is also found here and will be used to generate the token.
Next, open the PEM formatted server certificate with a text editor and paste the content in the Virtual Proxy configuration.
We also need to configure JWT attribute for user ID and for user directory which will need to match the ones we configure when generating the token.
Save the settings and now for generating the token we can leverage the commonly used site jwt.io, as an example.
We will select the algorithm RS256, then add the userID and userDirectory attributes previously configured in the Virtual Proxy.
Make sure to set the values for these attributes to an intended licensed user that will be authorized access, then open the PEM formatted private key file and copy the content to the appropriate field on the website.
Notice how the JWT is generated when the Private Key in PEM format is added.
To validate the signature, we can add the PEM formatted server certificate in the appropriate field.
This confirms that the server cert configured in the Virtual Proxy should be able to validate the JWT signature as long as it is not an encrypted token and the algorithm used is either RS256, RS384, or RS512.
Now for testing we need to use the token when accessing the Hub or QMC.
In this example we will use Fiddler Classic version as it is a widely used tool.
It will allow us to inject the needed Security header and then inspect the request Headers.
First, ensure HTTPS decryption is enabled.
Then configure the Authorization header under the Filters tab as seen here. The JWT token is pasted after the word Bearer as shown here.
Start the Capture, and now when accessing the QMC or Hub using the configured Vitual Proxy prefix in the URL, the licensed user referenced in the token should be allowed access.
We can see in the Inspection tab where the header was injected and sent to the Qlik Sense server with the token.
Under the Auth tab the JWT as content of the Authorization Header should be displayed.
The same can be performed with the Fiddler Everywhere version after enabling HTTPS traffic decryption and adding the authorization header in a similar fashion.
Another and perhaps simpler alternative for testing is to use a Google Chrome extension such as Modheader which also injects the authorization header.
If you’d like more information,
Take advantage of the expertise of peers, product experts, and technical support engineers
by asking a question in a Qlik Product Forum on Qlik Community.
Or search for answers using the new SearchUnify tool.
It searches across our Knowledge Base, Qlik Help, Qlik Community, Qlik YouTube channels and more, all from one place.
Also check out the Support Programs space.
Here you can learn directly from Qlik experts via a Support webinar, like Techspert Thursdays.
And don’t forget to subscribe to the Support Updates Blog.
Thanks for watching.
Nailed it!

Attached is a downloadable .mp4 video file for those who cannot view YouTube videos.

#QlikSupport

Labels (1)
Labels:
3,662 Views
Was this article helpful? Yes No
Rate this article:
Comments
cjcunningham
Contributor III
Contributor III
‎2021-04-26 05:16 PM

@Andre_Sostizzo  We've been able to implement jwt authorization to allow access to qlik via an i-frame from a web application. Unfortunately, if the user's session expires from inactivity and they attempt to log back in, the browser receives a 401 Could not authenticate the request: Expected an authentication header error.

Do you have any insight into what would be causing this?

Damien_Villaret
Support
Support
‎2021-04-29 07:31 AM

@cjcunningham 

This is expected. This happens because when the session times out, the session cookie is destroyed, so you would need to pass a new JWT token again in order to get back in.

Unfortunately, there is not an easy way to do that with a virtual proxy set up with JWT authentication.

A possible solution would be to set up a reverse proxy that catches the logout URL and redirect to your own authentication page which will authenticate the user and create the JWT token for him.

Contributors
Version history
Last update:
‎2021-01-29 10:15 AM
Updated by:
Digital Support