Currently it is easy to configure JWT as an identity provider in Qlik SaaS but there is a major security flaw: there is no built-in way to restrict the JWT payload so basically whoever has the JWT certificate gets full tenant admin access.
The fix for this would be simple: when configuring JWT identity provider, just add a text field for specifying the user domain and another for entering Group whitelist so only JWT payloads that specify a matching group value, and the user account belongs to the specified group. At its simplestm the whitelist could be just one value and support wildcards e.g. '*customer_*' but of course it would be better to support multiple value whitelists.
Why this matters:
- Safety is a key concern when organizations move to the cloud. Current JWT setup easily leads to a major security risk and just one bad incident with a high profile customer can tarnish the reputation of Qlik SaaS.
- Embedding and integrating with 3rd party systems is central to "active intelligence", and JWT plays a major role when cooperating with customers and suppliers. Such cooperation will also help promote Qlik to potential new customers.
- Although it is possible to circumvent this security flaw by setting up a "JWT proxy" ie. not expose Qlik SaaS JWT itself but external parties would only see a custom middle-man JTW service that includes group whitelists etc. This requires setting up a new service which is never a simple task in a corporate environment, and will require additional admin and maintenance for handling additional certificates etc. Ease of setup and management is a key driver for SaaS adoption so this again would undermine it.
One argument I've heard for not needing restrictions is that if you support JWT then you just need to anyway trust that it is used responsibly, or using a car analogy: if you let someone borrow your car, you just have to trust that they obey traffic laws. I think this argument is flawed: I might be willing to give someone my car keys but why should I be forced to also give my house keys at the same time? There should be an easy way to unbundle my keys.
And yes, as a Qlik partner, we're facing multiple real customer cases that are hindered by this issue.