Qlik Community

Qlik Sense Integration, Extensions, & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Announcements
Save the Date: QlikWorld Online, June 24-25, 2020. Free global virtual event for data integration and data analytic gurus. Register Today
Highlighted
Partner
Partner

JWT Authentication with Okta bearer token

Hi All,

I'm working on a project that integrates an Angular SPA with a MSSql db back-end and Qlik Sense (Nov 19). I'm using Okta for my IDP and have it set up as follows:

Okta sign-in widget on SPA login page. User logs in and following this my SPA communicates with my db APIs by sending a JWT Authorization bearer token that was generated by Okta on login. I've set up my db to validate the incoming token to provide access and set the db user. This validation is done remotely via Okta's provided method, and this is all working great.

My challenge is to now integrate Qlik with this ecosystem, and I believe that I should be able to set up a JWT virtual proxy to receive the same token that Okta generated. Okta does not provide a public key certificate in PEM format for me to use in setting up the virtual proxy, but they do provide a JWKS that looks like the following example:

{
"keys":[
{
"kty":"RSA",
"alg":"RS256",
"kid":"nxbkkwOi08tlMmhhQSbKEBkEcd3IhlhfRTzwHOXl1xc",
"use":"sig",
"e":"AQAB",
"n":"wCIBXVwe9nalkjTb4l2vfp5mDowaL2YoqIr71P0WxDpTIIRuITx7NqNijpOkQ_795YkWMZt8Z9LRRnyf-VA3EE2l9p64sqoCsAG_AJ07YFaPoohkxSq8tJ8nJ01XGco-OuTs3uviSMcZ0eQHC7RdaG7ARe-IglfBkKUfzLHuElO3kH3VanG7_Ageb1hl1DWhiHlqtCCaq9XZVeMbfpcLkU_doE9QThxEN9pZjff83X47qxSwNe9LPWurD-xQ5C0QonSO-VIdpGobEVKHlqu6AYX0H7VEk3H4SNjAr04EagHy6EGktBAMc081SPpMWWUeQuGrmqDPGECed_wBLkUMRQ"
}
]
}

I can convert this to a PEM certificate, however Qlik rejects it with the error message that the certificate is invalid.

I'm aware that there is an out-of-the-box method for integrating Qlik and Okta, however there is a specific reason for using JWT rather than SAML in this case.

Any help in setting up a virtual proxy to receive and validate the bearer token from Okta would be greatly appreciated!

 

 

6 Replies
Highlighted
Partner
Partner

Re: JWT Authentication with Okta bearer token

hi,

Yes because Qlik have their own certificates.

If you are using some opensource certificates it will gives you error.

Just use Qlik certificate and try.

 

Thanks Regards,

Harsh Gohil

Highlighted
Partner
Partner

Re: JWT Authentication with Okta bearer token

Thanks Harsh,

Thanks for the reply.

That's not going to work, unfortunately, because Okta will not use the private key provided by Qlik to generate the token. The token is generated by Okta, and the public key certificate is needed to validate it.

Highlighted
Partner
Partner

Re: JWT Authentication with Okta bearer token

hey,

Did you try this method?

https://help.qlik.com/en-US/sense/June2019/Subsystems/ManagementConsole/Content/Sense_QMC/SAML-confi...

try this steps if it will helps you 🙂

Highlighted
Partner
Partner

Re: JWT Authentication with Okta bearer token

Hi Harsh,

There's a requirement on this project to use JWT, rather than SAML, so I can't use that method.

Highlighted
Partner
Partner

Re: JWT Authentication with Okta bearer token

Update:

I've been in contact with Okta and can confirm that the certificate generated from the JWKS is valid. I've been able to test that the token and public key certificate are both valid by verifying them on jwt.io and can confirm that the algorithm is RS256, which is supported by Qlik.

Everything works great up to this point, however Qlik is still showing the 'Invalid Public Key Certificate' error when the certificate is entered in the virtual proxy configuration screen.

I can't see a reason for Qlik to be refusing to accept the certificate, since it can be confirmed as valid by jwt.io and will successfully decode and validate the payload of the bearer token. 

Highlighted
Partner
Partner

Re: JWT Authentication with Okta bearer token

hello,

i dont have any idea but when i was trying to connect with qlik  using nodejs that time i have to pass certificates also we have to add one header called certificate = NULL.

so try with your method  put certificates = Null, if you have this type of option.

might work for you 🙂

Thanks