Configure JWT Authentication

Implementing JSON Web Token authentication allows you to create seamless experiences across your applications without bringing your users through complex SAML IDP redirect flows.

ConnectReport can validate JWTs using a provided public SPKI certificate. Furthermore, you can pass in additional supported claims. ConnectReport handles automatically provisioning and updating users in its own user store when presented with changed or new claims, and creates logs of these actions.

How to configure

This guide assumed you already have a system in place to generate and sign valid JWTs using a supported RSA algorithm (RSA256, RS384, RS512) .

Before you begin, you will need to complete the following items:

  • Retrieve an SPKI format public key. These start with “—–BEGIN PUBLIC KEY——”

Decide on the following:

  • Which key in your payload you will map to the username property in ConnectReport. For example, “sub”, or “email”.
  • Choose whether you will validate the issuer and audience claims of your JWTs, we recommend that you do. If issuer or audience are set in the JWT Authentication configuration, they will be validated.
  • Decide whether you will map additional supported properties, for example “groups” or “role”.
  • Decide what the default role should be for JWTs that do not include a role claim. For most scenarios, “Viewer” is the safest and most restrictive option.

Steps

  1. Navigate to the ConnectReport Management Console and choose Server Configuration
  2. Under JWT Authentication, paste your public key into the Public key field. Ensure no trailing or leading spaces are added.
  3. In Username property key, enter the JWT payload key that should be used to identify a user, for example “sub”, or “username”.
  4. If you decided to set issuer and audience as recommended above, set issuer and audience. Issuer generally refers to the service that generated the token, and audience refers to the downstream service receiving the JWT. These values are used as an additional layer of protection to ensure that claims are coming from the expected issuer, and going to the expected downstream service.
  5. Click Save configuration and restart associated ConnectReport services.

How to authenticate

Once you have configured JWT Authentication, the server will look for JWTs to validate in the Authorization header. You may prepend the authorization header value with Bearer .

Requests that fail to validate or authenticate will generally return a 401 response code. If you are stuck or need more details on any failures to authenticate, review the server logs.

Additional supported claims

You can send along additional claims in your JWTs to make it simpler to manage groups and roles among your userbase. The following claims are supported:

  • role (string): case-sensitive name of the role the user should assume. If the user already exists and this differs from the role they currently have, their role will be updated to match this value. If the role name is invalid, a 401 status code is returned. This claim may also be keyed as crRole
  • groups (array of strings): case-sensitive name(s) of groups the user should belong to. If the user already exists and this claim differs from the groups they currently belong to, their group memberships will be updated to match this value. If an empty array is provided for an existing user, the user will be updated to belong to no groups. If a group name is invalid, a 401 status code is returned.
  • firstName (string): ConnectReport profile last name
  • lastName (string): ConnectReport profile first name
  • email (string): ConnectReport profile email
  • qlikSenseUsername (string): you may optionally set a specific username for Qlik Sense connections made on behalf of this user. If unspecified, the value of the JWT’s usernamePropertyKey is used based on whichever key of the JWTs you configured the usernameProperty to use.
  • qlikSenseUserDirectory (string): you may optionally set a specific user directory for Qlik Sense connections made on behalf of this user. If unspecified, the configured user directory value of the Qlik Sense connector is used.
  • sisenseUsername (string): you may optionally set a specific username for Sisense connections made on behalf of this user. If unspecified, the value of the JWT’s usernamePropertyKey is used based on whichever key of the JWTs you configured the usernameProperty to use.