Skip to main content

Qlik Sense: How to request an OIDC token manually and check if correct attributes are included (PowerShell)

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Damien_Villaret
Support
Support

Qlik Sense: How to request an OIDC token manually and check if correct attributes are included (PowerShell)

Last Update:

May 10, 2022 1:43:00 PM

Updated By:

Jamie_Gregory

Created date:

Oct 7, 2021 4:47:29 AM

This article explains how to request a token manually from your Identity provider token endpoint and verify if the required attributes are included in the id_token.

Qlik Sense Enterprise for Windows reads the attributes from the id_token and is not using the /userinfo endpoint to fetch them.

Environments:

Qlik Sense Enterprise on Windows  May 2021 and higher
Qlik Cloud (For "ADFS" and "Azure" Identity provider types only)

 

First of all, for testing purposes, add the URL "https://test/login/callback" used in this script in your Identity Provider (IdP) allowed redirect URIs. The reason we are doing this is because we want to request the token manually to check its content and not have it getting automatically processed by Qlik Sense.

  1. Run the below PowerShell script to get your authorization URL. Variables authorization_endpoint, client_id, and scope need to be updated to match your IdP, those information can be found from the /.well-known/openid-configuration endpoint.
    $authorization_endpoint = 'https://dc1.domain.local/adfs/oauth2/authorize'
    $client_id = '592a5672-a360-49da-93a4-20654f42d3c2'
    $redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/login/callback")
    #For ADFS, use 'openid%20allatclaims%20profile%20email' for the scope
    $scope = 'openid%20profile%20email'
    $code_challenge="7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8"
    
    #Paste this URL in your browser to get back the authorization code
    $authorization_endpoint+'?response_type=code&client_id='+$client_id+'&redirect_uri='+$redirect_uri+'&state=xyzABC123&nonce=3O2bsVV99-kjikCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope='+$scope+'&code_challenge_method=S256&code_challenge='+$code_challenge
  2. Paste the URL output from the script in your browser and log in to your Identity provider, the URL should look like this:
    https://dc1.domain.local/adfs/oauth2/authorize?response_type=code&client_id=592a5672-a360-49da-93a4-20654f42d3c2&redirect_uri=https%3a%
    2f%2ftest%2flogin%2fcallback&state=xyzABC123
    &scope=openid%20allatclaims%20profile%20email​

    After the authentication is completed, you will be redirected to https://test/login/callback with an authorization code in the URL, copy the authorization code that we will use in the next step.

    Copy the value between code= and the next & sign. (The length of the authorization code may vary depending on the IdP)

    Damien_Villaret_0-1633594363132.png

  3.  Request the token from the token_endpoint URL (also found from the /.well-known/openid-configuration endpoint)
    $client_id = '592a5672-a360-49da-93a4-20654f42d3c2'
    $redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/login/callback")
    $client_secret = 'Ssxx92jvm6RE_Plf1NnKgduZujE99nd0vWuujE_L'
    $token_endpoint = 'https://dc1.domain.local/adfs/oauth2/token'
    $code_verifier="_fqY.Xg5srawq24h9_A57tjY-ycqX0PzzIcM7VcwLZRou_Mvqn-_tCTz4ICWcXoCTO8NXlm3b9RfGOjSZEH68a_gWgaLByddN5y52M06~Z8XlO3XMgOJRWK0DefsxcmC"
    
    #Put your authorization code here
    $auth_code = 'mSzqI71WMUGuYcxSTciAcw.kZdiCG6J2QgNAPRcEZ9A51OMW6g.TMrNMhHPBiG3aNbh_4lbUakFzWoU_MFcDQZcL6_wBIaDd_1_DMWz9OZUSvRcE_zR115HwNXdZYUTjHB6mcnK3u5R2EDxsVKthwQwbP184ujVK1c8LmI-QOMb4jEGRTAm49nbtM8MfO4pTO1fICMSU7CLuhVb8KcCefjPOQ5W0JMKLl7XElvhJDLg5n6v1V2m8L2ZaCQVDy6oTiZygIr20j3TpQnpu2Zwk1KzbttOTGqeJgzCoyPJJJcRjnOrD1zPmBEENrz8fuZwdihRIPZufzhj0gEJ18-stWBz7polztBH7y_jKn-mK6WgIqlLSG2AlmcQa9kBANLmfbal7OUFtA'
    $pair = "$($client_id):$($client_secret)"
    $encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
    $basicAuthValue = "Basic $encodedCreds"
    
    $hdrs = @{}
    $hdrs.Add("Authorization",$basicAuthValue)
    $body = 'code='+$auth_code+'&grant_type=authorization_code&redirect_uri='+$redirect_uri+'&code_verifier='+$code_verifier
    
    $response = Invoke-WebRequest -Uri $token_endpoint -Method Post -Body $body -Headers $hdrs -ContentType 'application/x-www-form-urlencoded'
    echo $response.Content​
  4. Copy the value in "id_token" from the request response, and decode the JWT token to see what it contains.

    For simplicity, you can use the debugger on https://jwt.io :

    Damien_Villaret_1-1633596284198.png

    You can confirm if the expected claims are included in the token payload or not.
Comments
rockabs
Contributor III
Contributor III

Hi @Damien_Villaret 

Can you please clarify the importance of this parameter and where we can take this from? 

$code_challenge

 Because I am having issues like below

rockabs_0-1637248807788.png

 

Damien_Villaret
Support
Support

Hello @rockabs 

The error message relates to redirect_uri. Did you change this line in the script to anything else? You don't need to change the line, but you should add https://test/login/callback in the list of allowed redirect_uri in your Identity Provider configuration.

$redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/login/callback")

 

The code_challenge in this article is just a static one that matches base64(SHA256Hash(code_verifier)) value

rockabs
Contributor III
Contributor III

Good, for Code_challenge. and the script, this is how I have with the same issue

rockabs_0-1637250083046.png

 

Damien_Villaret
Support
Support

Is the query string you get similar to the one shown in step 2 ?

https://dc1.domain.local/adfs/oauth2/authorize?response_type=code&client_id=592a5672-a360-49da-93a4-20654f42d3c2&redirect_uri=https%3a%
2f%2ftest%2flogin%2fcallback&state=xyzABC123
&scope=openid%20allatclaims%20profile%20email​

Which Identity Provider do you use ? and did you add the redirect_uri to the list of allowed redirect_uri in your Identity Provider configuration ?

rockabs
Contributor III
Contributor III

This is how it is after


https://abc.eu.auth0.com/adfs/oauth2/authorize?response_type=code&client_id=xxx&redirect_uri=&state=xyzABC123&nonce=3O2bsVV99-kji
kCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope=openid%20allatclaims%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8

About adding this https://test/login/callback to be list, I will check internally and get back!

rockabs
Contributor III
Contributor III

I have added the list to IDP, Still, the issue is there. I have a configuration like below, To know these diagnostics/token attributes I was looking for this solution to apply.

rockabs_0-1637319427123.png

 

Damien_Villaret
Support
Support

@rockabs 

You don't have any redirect_uri in the URL you've sent.

https://abc.eu.auth0.com/adfs/oauth2/authorize?response_type=code&client_id=xxx&redirect_uri=&state=xyzABC123&nonce=3O2bsVV99-kji
kCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope=openid%20allatclaims%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8

There should be "https%3A%2F%2Ftest%2Flogin%2Fcallback" just after &redirect_uri=

https://abc.eu.auth0.com/adfs/oauth2/authorize?response_type=code&client_id=xxx&redirect_uri=https%3A%2F%2Ftest%2Flogin%2Fcallback&state=xyzABC123&nonce=3O2bsVV99-kji
kCWCxqzxOx007aXbKMUd0YXBwA3sUk&scope=openid%20allatclaims%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8

rockabs
Contributor III
Contributor III

I managed with another way account where that works. Now I am here 🙂

rockabs_0-1637323192589.png

https://abc-icow-test.eu.auth0.com/authorize?response_type=code&client_id=xxx&redirect_uri=https%3A%...
7aXbKMUd0YXBwA3sUk&scope=openid%20allatclaims%20profile%20email&code_challenge_method=S256&code_challenge=7TsROgPKuP0hHoWWwEGqMsIOgzokT3xAz8kWoo7Ivp8

 

Damien_Villaret
Support
Support

It's normal that https://test/login/callback doesnt open, it's just a dummy URL, however you should now have a code in the URL that you can copy and use in step 3 to get the token.

rockabs
Contributor III
Contributor III

We are close now, I see the URL is like this. and I have taken the bold part to this parameter "$auth_code".

https://test/login/callback?code=vT1neefRlijhMOjIrWdVJkL-E7Nv4xHrRyKuJwvAE6SP7&state=xyzABC123#

Now, I got the error below one?

Unable to find type [System.Web.HTTPUtility].
At C:\Users\ansam3\Documents\Untitled1.ps1:2 char:17
+ $redirect_uri = [System.Web.HTTPUtility]::UrlEncode("https://test/log ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Web.HTTPUtility:TypeName) [], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound

Invoke-WebRequest : Not found.
At C:\Users\ansam3\Documents\Untitled1.ps1:17 char:13
+ $response = Invoke-WebRequest -Uri $token_endpoint -Method Post -Body ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Version history
Last update:
‎2022-05-10 01:43 PM
Updated by: