Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
IMPORTANT security patches for GeoAnalytics Server available to download: READ DETAILS

Qlik Sense: How to set up JWT authentication

cancel
Showing results for 
Search instead for 
Did you mean: 
Damien_Villaret
Support
Support

Qlik Sense: How to set up JWT authentication

This article explains how to simply set up JWT authentication using Qlik Sense default certificates and test it.


Environments:

Qlik Sense Enterprise on Windows , June 2017 and Later

 

Resolution:

Click here for Video Transcript

 

Steps:

1. Create a new virtual proxy
This section only explains settings specific to JWT and supposes that you have set up Name, Prefix, Session cookie header name, load balancing nodes and linked a Proxy to the new virtual proxy.
These are the minimum settings required for a virtual proxy to work correctly. Please refer to 
the Qlik Sense Online Help "Creating a virtual proxy" as well as Qlik Sense For Administrators - JWT authentication for details.

  • In the authentication section, select JWT for authentication
  • Paste the certificate used to sign/decrypt JWT in "JWT certificate

In this article, we will use the default Qlik Sense certificate located:

Important note: We use Qlik Default certificates for simplicity in this article, in a Production scenario, the customer should create the key material (generate a private/public key pair for JWT signing and verification) that is managed by customer internal security policies.

- Go to C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates
- Open server.pem in a text editor
- Copy the content including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- then paste it in the JWT Certificate field in the QMC > Virtual Proxy configuration.

  • Choose a value for JWT attribute for user ID and JWT attribute for user directory. That can be anything (except reserved key words for JWT claims) but it must match the values used in the JWT payload section when the JWT is generated.
  • Apply changes and close.


User-added image


2. Generate the JWT

In this article, we will directly use the JWT debugger available on https://jwt.io to generate the token. In a real use case, the JWT library corresponding to the programming language used should be used to generate the JWT.

  • Open https://jwt.io and go to the debugger
  • Select RS256 for the algorithm
  • In the payload, set up your attributes previously set in the virtual proxy for the user ID and the user directory
  • In the Verify signature, paste server.pem (Certificate) and server_key.pem (Private key) content in the appropriate fields. Those files are both located in C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates
  • You can now copy the JWT generated in the left field and test it. This should look like:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJVc2VyIiwidXNlckRpcmVjdG9yeSI6IkRPTUFJTiJ9.JsmWGLAisdrWEfCmiW0nwfbZvAQUgYZk0mN3uFE4ME8y00y3jOP54-mH0vJhG7rc0RbHC6LgiHXI12TKB7kHC_ScMa_82eB32PWZs8QQlZz04bG6OQl7C4-0xTuohsrNAND6PfkCy0I3-KoaJoKioHi8P6g8bIABzujesMdapreiAnbqXdZRr5eKfZSXNOZiR4t2HteoQ1R2NzsYLeqjq48Qfy8LTaKEn0oMNvnSpuIQ8rll6agyfjfwGiPVdgnTP1vcj6cRwpvgUHiEvaNvFlINMV6TwBExX8AyQ1yeEr7Rd3IQ2JItFhonwlmgWSXic0nG9DMNTl0_u0tgiV6ipw

User-added image

3. Test the generated JWT
In order to log in with JWT, you need to inject the JWT as a header. There are various extensions available depending on your browser in order to test this.
In this example, we are using Chrome with Modheader.

  • Install ModHeader from the Chrome Web Store
  • Try to go to the hub:

          https://{your server name}/{prefix for JWT virtual proxy}/hub/

  • You should get a 401 error: "Could not authenticate the request: Expected an authentication header." as no header has been provided.
  • Go to ModHeader and set the following header:

       Header name: Authorization
       Header value: Bearer yourjwt
       User-added image

  • Reload the page, you should now be logged into the hub correctly.


In order to integrate your solution with Qlik Sense using JWT authentication, you will need to pass in your code the JWT token in the authorization token for the first request to Qlik Sense so that a session is created.

Related Content:

Labels (1)
Comments
mbj
Employee
Employee

Hi,

Great example! you can also run a JWT server with qlik sense embedded in an Iframe using https://community.qlik.com/t5/Support-Knowledge-Base/Qlik-Sense-How-to-set-up-JWT-authentication/ta-... 

mbj
Employee
Employee
Version history
Last update:
‎2021-04-06 02:36 PM
Updated by: