Our setup is a Qlik Sense server and we have a virtual proxy where the "authentication module redirect URI" is pointing to a node.js server (HTTP) which is using the qlik-auth (qlik-auth) node.js module to handle authentication with tickets.
We have a web application which is linking to some qlik reports directly in the HUB, so the link to a qlik report would look like:
This works very well when we use a Desktop browser to access our web application, but when we use an iPad (4th gen, iOS 10.3.1), our authentication server is flooded with requests and the http headers contain a "Upgrade-Insecure-Requests: 1" header field. I'm aware that iOS does not like unsigned https requests and will block them, but as I understand the qlik authentication API, it is only the path between the auth server and the qlik proxy which is using HTTPS (the qps auth api).
When I examine the requests, the same targetId sometimes appear (guess that is pointing to some resource that was requested by the client?) and sometimes the qlik proxy will respond with a "Specified targeted was not valid!". I have also noticed that the "Referer" http header is sometimes the URL of my web app client and other times it will be the URL of the qlik report that I am requesting.
I don't understand why we get so many requests on our auth server and I dont understand why this does not work on the iPad. Maybe someone can clarify and point out what we are doing wrong? We are also getting reports from our users that it does not work on other tablets (samsung/android) as well and I am guessing that it is the same issue.
I have tried setting up our authentication server on HTTPS with a valid certificate and access the qlik reports via HTTPS as well, and then it all works as expected.
Hopefully someone can shed some light of what the problem is?
I have noticed that when I make a request to a qlik report, it will go through the auth server and then I will get a ticket id and then the report is requested again, now with the qlikTicket url parameter attached. But requests to resources after that does not contain the qlikTicket parameter. They only have a large number, which I assume to be a timestamp?? It looks something like this:
From the example above, row 1 is the initial request to the report. Row 2 is the redirect to the auth server. Row 3 is the new request with a ticketID (after user was authorized). Row 4 is a request for a resource, but without the ticketID and the response is a redirect to the auth server (not listed here). Result: my auth server is flooded with requests and a ticket is consumed every time.
I have found out that the issue is that we are loading the qlik report in an iframe and it does not support cross domain cookies. That is why all requests are routed to the auth server. On the iPad we can change the cookie settings for Safari and then it will work. But still not working in Chrome on iOS.