0 Replies Latest reply: Feb 8, 2017 9:24 PM by Nathaniel Anderson RSS

    Qlik Sense Server logoutUri has different domain (B) than the source of request (A)

    Nathaniel Anderson

      I have Qlik Sense Server hosted behind a 3rd party Proxy.

      • That Proxy is accessible at URL domain "A"
      • That Proxy passes on the requests to Qlik Sense server which is actually being served  from URL domain "B"

       

      But the user should never have access to "B" directly -- the user shouldn't be aware that "B" exists at all.

       

      All Qlik sense requests work correctly, going from my client at origin "A" , to the domain "A", and responses come back successfully.

       

      Then it the hub's getUserInfo function sends a request to:

      https://A/qps/user

       

      Specifically the getUserInfo sends request to:

      https://A/qps/user?targetUri=https:%2F%2FA%2Fhub

       

      But the response comes back:

      {

      "userDirectory": "...",

      "userId": "...",

      "userName": "...",

      "logoutUri": "https://B/qps/user"

      }

       

      So then in the hub/core/services/comm/authentication initialization,

      it sets a.logoutUri = https://B/qps/user

      Why is inconsistent domain, now "B"? Shouldn't Qlik Sense server respond with logoutUri set to domain A?

       

       

      After all this, when I attempt to logout, my browser sends a DELETE request to domain B, from domain A.

      This is cross-origin request (CORS), so my browser sends a pre-flight request.

      And that pre-flight request does not find Access-Control-Allow-Origins in the response; so it thinks CORS is not allowed, an error is logged in the browser's Javascript console, and it seems the user isn't logged out.

       

      Any advice here? Thank you!

       

      Message was edited by: Nathaniel Anderson removing the auto-linking behavior against non-URLs like "https://"