Login

This API is used to initiate interactive logins, or to process JWT login requests.

Download specification

Login using interactive identity provider

Initiates login using the active interactive identity provider associated with the tenant. Uses default Qlik identity provider if no customer-configured interactive identity provider is active.

Facts

Rate limit Tier 1 (1000 requests per minute)
Categories authenticate

Header Parameters

  • Qlik-Web-Integration-IDstring

    Web Integration ID associated with origin whitelist used to validate returnto value.

Query Parameters

  • login_hintstring

    Hint to the Authorization Server about the login identifier the End-User might use to log in.

  • max_agenumber

    Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OpenID Provider. If time is greater than max_age, force user to re-authorize.

  • returntostring

    Relative or full URL on the tenant to redirect to after successful login.

  • scopearray

    Specifies the scope of access for login. Only supports offline_access to request a refresh token from the identity provider.

    Can be one of: "offline_access"

Responses

302

Redirect to the identity provider.

  • text/htmlstring

401

Invalid login.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.
GET /login 
curl "https://your-tenant.us.qlikcloud.com/login"
const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/login',
    'method': 'GET',
    'headers': {}
  }
  const req = https.request(options)
This API is not included yet in qlik-cli

Exchange a token

Exchanges a token in the form of a user JWT for a session cookie. The JWT should be securely signed with an algorithm other than HS, and it should contain the following claims:

  1. . iss: identifies the principal that issued the JWT; it must match the issuer in the IDP definition.
  2. . aud: identifies the recipients of the JWT, which in this case is "qlik.api/login/jwt-session".
  3. . sub: identifies the subject of the JWT.
  4. . subType: the type of identifier the sub represents, which in this case is "user".
  5. . name: the name of the user.
  6. . email: the email address of the user.
  7. . email_verified: a claim indicating to Qlik that the JWT source has verified that the email address belongs to the subject.
  8. . jti: JWT ID; it should be unique for each consumed JWT token.
  9. . iat: identifies the time at which the JWT was issued.
  10. . nbf: identifies the starting time on which the JWT is accepted. The current unix time must be passed this value.
  11. . exp: identifies the expiration time after which the JWT is not accepted.
  12. . keyid: identifies the KeyID used to sign the JWT; it must match the KeyID in the IDP definition.

And the time window between exp and nbf should not exceed 1 hour.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories authenticate

Responses

200

Successfully exchanged JWT for session.

  • application/jsonobject

401

Unauthorized.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.
POST /login/jwt-session 
curl "https://your-tenant.us.qlikcloud.com/login/jwt-session" \
-X POST \
-H "Authorization: Bearer <Signed JWT>"
const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/login/jwt-session',
    'method': 'POST',
    'headers': {
      'Authorization': 'Bearer <Signed JWT>'
    }
  }
  const req = https.request(options)
This API is not included yet in qlik-cli

Response

{}