login

This API is used to interact with Edge Auth resources in Qlik elastic environments.

Endpoints

Skip to section
GET/login
POST/login/jwt-session

Login using interactive identity provider associated with the tenant.

Header Parameters GET /login

Qlik-Web-Integration-ID
optional
string

Web Integration ID associated with origin whitelist used to validate returnto value

Query Parameters GET /login

returnto
optional
string

Relative or full URL to redirect to after successful login.

Responses GET /login

302
object

Redirect to the identity provider.

401
object

Invalid login.

GET/login

curl "https://your-tenant.us.qlikcloud.com/login" \
 -H "Authorization: Bearer <API-key>"

Exchanges a token in the form of a user JWT for a session cookie.

The JWT should be securely signed with an algorithm other than HS, and it should contain the following claims:

  1. iss: identifies the principal that issued the JWT, and must match the issuer in the IDP definition.
  2. aud: identifies the recipients of the JWT, which in this case is "qlik.api/login/jwt-session".
  3. sub: identifies the subject of the JWT.
  4. subType: The type of identifier the sub represents, which in this case is "user".
  5. name: the name of the user.
  6. email: The email address of the user.
  7. email_verified: A claim indicating to Qlik that the JWT source has verified that the email address belongs to the subject.
  8. jti: JWT Id, and should be unique for each consumed JWT token.
  9. iat: identifies the time at which the JWT was issued.
  10. nbf: identifies the starting time on which the JWT is accepted. The current unix time must be passed this value.
  11. exp: identifies the expiration time after which the JWT is not accepted.

And the time window between exp and nbf should not exceed 1 hour.

Responses POST /login/jwt-session

200
object

Successfully exchanged JWT for session.

401
application/json

Unauthorized.

POST/login/jwt-session

curl "https://your-tenant.us.qlikcloud.com/login/jwt-session" \
 -X POST \
 -H "Authorization: Bearer <API-key>"

Errors

object

A representation of the errors encountered from the HTTP request.

Properties

errors

No description

Error

object

An error object.

Properties

code
string

The error code.

title
string

The error title.

status
optional
string

The http status code.

detail
optional
string

The detailed error message

meta
optional
object

Non-standard information about the error

Diagnose-claims

object

Diagnostic claims object.

Properties

subType
string

The token type.

claimsFromIdp
object

The claims from idp.

mappedClaims
object

The mapped claims.

internalClaims
optional
object

The claims used internally for requests from the entity

claimSource
optional
string

No description

Enum:

idp-userinfo

id-token

idp-introspection

external-token

ClaimsInfo

object

Information about the claims obtained from the internal JWT that got created while performing authentication.

Properties

roles
Array<string>

The names of the roles resolved for the current user including the ones he obtains through his groups' membership.

service-token-request

The request body for a service to service token

Properties

grant_type
string

The grant type of the token request

Enum:

qlik:service-token

service_token
string

The token identifying the service

service_token_type
optional, default='jwt'
string

The type of service token

Enum:

jwt

audience
string

The audience of the token, must be locked down to a specific resource

tenantId
optional
string

Optional (but strongly suggested) tenantId to limit the resultant token to

token-renewal-request

The request body for a token renewal

Properties

grant_type
string

The grant type of the token request

Enum:

qlik:token-renewal

renewer_token
string

The token identifying the entity renewing the token

renewer_token_type
optional, default='jwt'
string

The type of renewer token

Enum:

jwt

subject_token
string

The token being renewed

subject_token_type
optional, default='jwt'
string

The type of subject token

Enum:

jwt

user-impersonation-request

The request body for a token impersonation

Properties

grant_type
string

The grant type of the token request

Enum:

qlik:user-impersonation

actor_token
string

The token identifying the entity to impersonate the token

actor_token_type
optional, default='jwt'
string

The type of actor token

Enum:

jwt

user_id
string

The ID of the user to impersonate

request_tenant_id
optional
string

ID of tenant associated with the original API request

elevate
optional, default=false
boolean

Whether to include elevated permissions, requires ELEVATE service permission

token-response

object

Response containing an internal token

Properties

access_token
string

The internal token

token_type
string

The token type

Enum:

Bearer

expires_in
number

The number of seconds the token is valid for

expiry
number

The Unix time in seconds that the token will expire at

oauth-client-credentials-request

Properties

grant_type
string

No description

Enum:

client_credentials

scope
optional
string

The scope of access that is being requested.

Enum:

user_default

oauth-refresh-request

Properties

grant_type
string

No description

Enum:

refresh_token

refresh_token
string

The refresh token to use.

client_secret
optional
string

The client secret.

oauth-authorization-code-request

Properties

grant_type
string

No description

Enum:

authorization_code

code
string

The authorization code created by the server.

code_verifier
string

Required when grant_type is "authorization_code". The code verifier to verify original code challenge created by the client. It must be between 43 and 128 characters long and consists of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"

redirect_uri
string

The original redirect URI provided during authorization. For verification purposes only.

client_id
string

The client identifier.

client_secret
optional
string

The client secret.

description
optional
string

A user-friendly description to distinguish between multiple tokens

deviceType
optional
string

The type of the user device the authorization token is generated for (Tablet, Phone etc.)

oauth-token-response

object

Properties

access_token
string

The access token granted

refresh_token
optional
string

Refresh token to be used to obtain a new access token without user intervention

token_type
string

The type of the token issued

Enum:

bearer

expires_at
optional
string<date-time>

The date and time in ISO format for when the access token will expire

auth_time
optional
number

Unix time of when the last authentication occurred

scope
optional
string

The scope of access that is being granted, delimited by space

oauth-revoke-request

object

Properties

token
string

The token to revoke

token_type_hint
optional
string

Type of the provided token

Enum:

access_token

refresh_token

oauth-token

Properties

tenantId
string

The ID of the owning tenant

userId
string

The ID of the owning user

id
string

The token ID

description
optional
string

The description of the token

deviceType
optional
string

The type of the user device the authorization token is generated for (Tablet, Phone etc.)

lastUsed
optional
string<date-time>

The last time the token was used

oauth-token-page

object

Properties

data

No description

links
optional

No description

v1.31.0
Was this page helpful?