login
This API is used to interact with Edge Auth resources in Qlik elastic environments.
Endpoints
Skip to sectionGET | /login |
POST | /login/jwt-session |
Login using interactive identity provider associated with the tenant.
Header Parameters GET /login
Qlik-Web-Integration-ID optional string | Web Integration ID associated with origin whitelist used to validate returnto value |
Query Parameters GET /login
returnto optional string | Relative or full URL to redirect to after successful login. |
Responses GET /login
302 object | Redirect to the identity provider. |
401 object | Invalid login. |
GET/login
curl "https://your-tenant.us.qlikcloud.com/login" \
-H "Authorization: Bearer <API-key>"
Exchanges a token in the form of a user JWT for a session cookie.
The JWT should be securely signed with an algorithm other than HS, and it should contain the following claims:
- iss: identifies the principal that issued the JWT, and must match the issuer in the IDP definition.
- aud: identifies the recipients of the JWT, which in this case is "qlik.api/login/jwt-session".
- sub: identifies the subject of the JWT.
- subType: The type of identifier the sub represents, which in this case is "user".
- name: the name of the user.
- email: The email address of the user.
- email_verified: A claim indicating to Qlik that the JWT source has verified that the email address belongs to the subject.
- jti: JWT Id, and should be unique for each consumed JWT token.
- iat: identifies the time at which the JWT was issued.
- nbf: identifies the starting time on which the JWT is accepted. The current unix time must be passed this value.
- exp: identifies the expiration time after which the JWT is not accepted.
And the time window between exp and nbf should not exceed 1 hour.
Responses POST /login/jwt-session
200 object | Successfully exchanged JWT for session. |
401 application/json | Unauthorized. |
POST/login/jwt-session
curl "https://your-tenant.us.qlikcloud.com/login/jwt-session" \
-X POST \
-H "Authorization: Bearer <API-key>"
Errors
objectA representation of the errors encountered from the HTTP request.
Properties
errors | No description |
Error
objectAn error object.
Properties
code string | The error code. |
title string | The error title. |
status optional string | The http status code. |
detail optional string | The detailed error message |
meta optional object | Non-standard information about the error |
Diagnose-claims
objectDiagnostic claims object.
Properties
subType string | The token type. |
claimsFromIdp object | The claims from idp. |
mappedClaims object | The mapped claims. |
internalClaims optional object | The claims used internally for requests from the entity |
claimSource optional string | No description Enum: idp-userinfo id-token idp-introspection external-token |
ClaimsInfo
objectInformation about the claims obtained from the internal JWT that got created while performing authentication.
Properties
roles Array<string> | The names of the roles resolved for the current user including the ones he obtains through his groups' membership. |
service-token-request
The request body for a service to service token
Properties
grant_type string | The grant type of the token request Enum: qlik:service-token |
service_token string | The token identifying the service |
service_token_type optional, default='jwt' string | The type of service token Enum: jwt |
audience string | The audience of the token, must be locked down to a specific resource |
tenantId optional string | Optional (but strongly suggested) tenantId to limit the resultant token to |
token-renewal-request
The request body for a token renewal
Properties
grant_type string | The grant type of the token request Enum: qlik:token-renewal |
renewer_token string | The token identifying the entity renewing the token |
renewer_token_type optional, default='jwt' string | The type of renewer token Enum: jwt |
subject_token string | The token being renewed |
subject_token_type optional, default='jwt' string | The type of subject token Enum: jwt |
user-impersonation-request
The request body for a token impersonation
Properties
grant_type string | The grant type of the token request Enum: qlik:user-impersonation |
actor_token string | The token identifying the entity to impersonate the token |
actor_token_type optional, default='jwt' string | The type of actor token Enum: jwt |
user_id string | The ID of the user to impersonate |
request_tenant_id optional string | ID of tenant associated with the original API request |
elevate optional, default=false boolean | Whether to include elevated permissions, requires ELEVATE service permission |
token-response
objectResponse containing an internal token
Properties
access_token string | The internal token |
token_type string | The token type Enum: Bearer |
expires_in number | The number of seconds the token is valid for |
expiry number | The Unix time in seconds that the token will expire at |
oauth-client-credentials-request
Properties
grant_type string | No description Enum: client_credentials |
scope optional string | The scope of access that is being requested. Enum: user_default |
oauth-refresh-request
Properties
grant_type string | No description Enum: refresh_token |
refresh_token string | The refresh token to use. |
client_secret optional string | The client secret. |
oauth-token-response
objectProperties
access_token string | The access token granted |
refresh_token optional string | Refresh token to be used to obtain a new access token without user intervention |
token_type string | The type of the token issued Enum: bearer |
expires_at optional string<date-time> | The date and time in ISO format for when the access token will expire |
auth_time optional number | Unix time of when the last authentication occurred |
scope optional string | The scope of access that is being granted, delimited by space |
oauth-consent-request
objectProperties
state string | The state Id |
approve boolean | the user's approval |
_csrf string | the value of consent csrf cookie |
oauth-revoke-request
objectProperties
token string | The token to revoke |
token_type_hint optional string | Type of the provided token Enum: access_token refresh_token |
oauth-token
Properties
tenantId string | The ID of the owning tenant |
userId string | The ID of the owning user |
id string | The token ID |
description optional string | The description of the token |
deviceType optional string | The type of the user device the authorization token is generated for (Tablet, Phone etc.) |
lastUsed optional string<date-time> | The last time the token was used |
link
Properties
href string<uri> | The URL for the link |
oauth-token-page
objectProperties
data | No description |
links optional | No description |