Find Answers
Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join Us
Knowledge
Security vulnerability for JWT authentication: Evaluate JWT attributes 'aud', 'jti' and 'iss'
Article Number: 000072220 | Last Modified: 2019/07/25Description
JWT Attributes are not being evaluated when JWT authentication is used in Qlik Sense February 2019. This is an issue because further securing the JWT by limiting down the access and usage is not possible using the attributes such as "aud", "jti" or "iss".
Qlik Sense does not check the intended purpose / audience of JWT tokens and not even if the JWT attribute ‘aud’ is specified, how do we ensure any intended use? Documentation mentions the JWT attributes: 'iss', 'sub', 'aud'.
The Qlik Code checks that they contain a valid value, but it does not take any action on them. There is no way to limit the audience with 'iss', 'sub', 'aud'.
Cause
QLIK-95131
Resolution
This behaviour is resolved in Qlik Sense June 2019. See the June 2019 Release Notes for details on QLIK-93398.
With the fix it is now possible to use these attributes to limit down the access and usage.
With the fix it is now possible to use these attributes to limit down the access and usage.
Get Answers
Find Answers
Get Support
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.
Submit a case
Talk with a Representative
Critical Issues
Experiencing a serious issue, please contact us by phone. For Data Integration related issues please refer to your onboarding documentation for current phone number.
Call Us