OAuth

Authorize OAuth client flows, and create and revoke OAuth tokens.

Download specification

Authorize a client application

Allows a client application to use an OAuth flow to request user authorization.

Facts

Rate limit Tier 1 (1000 requests per minute)
Categories authenticate

Query Parameters

  • client_idstring
    Required

    The client identifier.

  • code_challenge_methodstring
    Required

    The algorithm that client used for generating code_challenge, only S256 is supported for now.

    Can be one of: "S256"

  • redirect_uristring
    Required

    Relative or full URL to redirect to after successful login.

  • response_typestring
    Required

    Describes the grant flow to use.

  • scopearray
    Required

    The scope of access that is being requested.

    Can be one of: "user_default""offline_access"

  • statestring
    Required

    State parameter to roundtrip to client in final redirect.

  • code_challengestring

    The code challenge created by the client.

  • login_hintstring

    Hint to the Authorization Server about the login identifier the End-User might use to log in.

  • max_agenumber

    Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OpenID Provider.

  • promptstring

    Specifies whether the Authorization Server prompts the End-User for re-authentication and consent.

Responses

302

text/html

Redirect to the identity provider or back to the redirect_uri if an error occurs. On error the redirect will follow the OAuth2 RFC section 4.1.2.1 (https://tools.ietf.org/html/rfc6749#section-4.1.2.1) with an additional error_code parameter with the internal error code. When a detail is known for the error it will be included as error_detail.

  • text/htmlstring

400

application/json

Invalid client_id or redirect_uri.

A representation of the errors encountered from the HTTP request.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.
GET /oauth/authorize 
curl "https://your-tenant.us.qlikcloud.com/oauth/authorize"
const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/oauth/authorize',
    'method': 'GET',
    'headers': {}
  }
  const req = https.request(options)
This API is not included yet in qlik-cli

Revoke OAuth token provided by client

Allows a client to revoke their token.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories authenticate

Request Body

Required

application/json

Properties of the token that the client wants to revoke.

  • application/jsonobject
    Show application/json properties
    • tokenstring
      Required

      The token to revoke.

    • token_type_hintstring

      Type of the provided token.

      Can be one of: "access_token""refresh_token"

application/x-www-form-urlencoded

Properties of the token that the client wants to revoke.

  • application/x-www-form-urlencodedobject
    Show application/x-www-form-urlencoded properties
    • tokenstring
      Required

      The token to revoke.

    • token_type_hintstring

      Type of the provided token.

      Can be one of: "access_token""refresh_token"

Responses

200

Token was revoked.

400

application/json

Invalid request.

A representation of the errors encountered from the HTTP request.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.
POST /oauth/revoke 
curl "https://your-tenant.us.qlikcloud.com/oauth/revoke" \
-X POST \
-H "Content-type: application/json" \
-d '{"token":"string","token_type_hint":"access_token"}'
const https = require('https')
  const data = JSON.stringify({"token":"string","token_type_hint":"access_token"})
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/oauth/revoke',
    'method': 'POST',
    'headers': {
      'Content-type': 'application/json'
    }
  }
  const req = https.request(options)
  req.write(data)
This API is not included yet in qlik-cli

Request

{
  "token": "string",
  "token_type_hint": "access_token"
}

Retrieve OAuth token

Allows a client to perform an OAuth flow to obtain a token set.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories authenticate

Request Body

application/json

  • application/jsonobject
    One of:
    • oauth-client-credentials-requestobject
      Show oauth-client-credentials-request properties
      • scopestring

        The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        The grant type used to obtain an access token outside of the context of a user.

        Can be one of: "client_credentials"

      • client_secretstring
        Required

        The client secret.
    • oauth-refresh-requestobject
      Show oauth-refresh-request properties
      • grant_typestring
        Required

        The grant type used to exchange a refresh token for an access token.

        Can be one of: "refresh_token"

      • client_secretstring

        The client secret.

      • refresh_tokenstring
        Required

        The refresh token to use.
    • oauth-authorization-code-requestobject
      Show oauth-authorization-code-request properties
      • codestring
        Required

        The authorization code created by the server.

      • client_idstring
        Required

        The client identifier.

      • deviceTypestring

        The type of the user device the authorization token is generated for (Tablet, Phone etc.).

      • grant_typestring
        Required

        The grant type used to exchange an authorization code for an access token.

        Can be one of: "authorization_code"

      • descriptionstring

        A user-friendly description to distinguish between multiple tokens.

      • redirect_uristring
        Required

        The original redirect URI provided during authorization. For verification purposes only.

      • client_secretstring

        The client secret.

      • code_verifierstring
        Required

        Required when grant_type is "authorization_code". The code verifier to verify original code challenge created by the client. It must be between 43 and 128 characters long and consists of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"

        minLength = 43, maxLength = 128

    • oauth-token-exchangeobject

      Exchanges one token for another. Implementation is based on this spec: https://datatracker.ietf.org/doc/html/rfc8693.

      Show oauth-token-exchange properties
      • purposestring
        Required

        The intended use for the requested token.

        Can be one of: "websocket""webresource"

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        Specifies the method in which the token will be granted.

        Can be one of: "urn:ietf:params:oauth:grant-type:token-exchange"

      • subject_tokenstring
        Required

        The token that represents the identity of the party on behalf of whom the request is being made.

      • subject_token_typestring
        Required

        The type of the subject token.

        Can be one of: "urn:ietf:params:oauth:token-type:access_token"

    • oauth-user-impersonation-requestobject
      Show oauth-user-impersonation-request properties
      • scopestring

        The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        The grant type used to obtain an access token on behalf of an existing user.

        Can be one of: "urn:qlik:oauth:user-impersonation"

      • user_lookupobject
        Required
        Show user_lookup properties
        • fieldstring
          Required

          The identifier to impersonate the user by.

          Can be one of: "subject""userId"

        • valuestring
          Required

          The value of the identifier to impersonate the user by.
      • client_secretstring
        Required

        The client secret.

application/x-www-form-urlencoded

  • application/x-www-form-urlencodedobject
    One of:
    • oauth-client-credentials-requestobject
      Show oauth-client-credentials-request properties
      • scopestring

        The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        The grant type used to obtain an access token outside of the context of a user.

        Can be one of: "client_credentials"

      • client_secretstring
        Required

        The client secret.
    • oauth-refresh-requestobject
      Show oauth-refresh-request properties
      • grant_typestring
        Required

        The grant type used to exchange a refresh token for an access token.

        Can be one of: "refresh_token"

      • client_secretstring

        The client secret.

      • refresh_tokenstring
        Required

        The refresh token to use.
    • oauth-authorization-code-requestobject
      Show oauth-authorization-code-request properties
      • codestring
        Required

        The authorization code created by the server.

      • client_idstring
        Required

        The client identifier.

      • deviceTypestring

        The type of the user device the authorization token is generated for (Tablet, Phone etc.).

      • grant_typestring
        Required

        The grant type used to exchange an authorization code for an access token.

        Can be one of: "authorization_code"

      • descriptionstring

        A user-friendly description to distinguish between multiple tokens.

      • redirect_uristring
        Required

        The original redirect URI provided during authorization. For verification purposes only.

      • client_secretstring

        The client secret.

      • code_verifierstring
        Required

        Required when grant_type is "authorization_code". The code verifier to verify original code challenge created by the client. It must be between 43 and 128 characters long and consists of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"

        minLength = 43, maxLength = 128

    • oauth-token-exchangeobject

      Exchanges one token for another. Implementation is based on this spec: https://datatracker.ietf.org/doc/html/rfc8693.

      Show oauth-token-exchange properties
      • purposestring
        Required

        The intended use for the requested token.

        Can be one of: "websocket""webresource"

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        Specifies the method in which the token will be granted.

        Can be one of: "urn:ietf:params:oauth:grant-type:token-exchange"

      • subject_tokenstring
        Required

        The token that represents the identity of the party on behalf of whom the request is being made.

      • subject_token_typestring
        Required

        The type of the subject token.

        Can be one of: "urn:ietf:params:oauth:token-type:access_token"

    • oauth-user-impersonation-requestobject
      Show oauth-user-impersonation-request properties
      • scopestring

        The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        The grant type used to obtain an access token on behalf of an existing user.

        Can be one of: "urn:qlik:oauth:user-impersonation"

      • user_lookupobject
        Required
        Show user_lookup properties
        • fieldstring
          Required

          The identifier to impersonate the user by.

          Can be one of: "subject""userId"

        • valuestring
          Required

          The value of the identifier to impersonate the user by.
      • client_secretstring
        Required

        The client secret.

Responses

200

application/json

Token set created.

  • application/jsonobject
    Show application/json properties
    • scopestring

      The scope of access that is being granted, delimited by space.

    • auth_timenumber

      Unix time of when the last authentication occurred.

    • expires_atstring

      The date and time in ISO format for when the access token will expire.

      format = "date-time"

    • token_typestring
      Required

      The type of the token issued.

      Can be one of: "bearer"

    • access_tokenstring
      Required

      The access token granted.

    • refresh_tokenstring

      Refresh token to be used to obtain a new access token without user intervention.

    • issued_token_typestring

      The type of the token issued for a token exchange. See https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.1 for more details.

      Can be one of: "urn:ietf:params:oauth:token-type:access_token"

400

application/json

Invalid request parameters.

A representation of the errors encountered from the HTTP request.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.

401

application/json

Invalid login or tokens, indicates that code or token used can be deleted by the client. Also could be invalid client credentials provided in Authorization header.

A representation of the errors encountered from the HTTP request.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.

403

application/json

Forbidden because user is disabled or has reached the maximum number of tokens.

A representation of the errors encountered from the HTTP request.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.
POST /oauth/token 
curl "https://your-tenant.us.qlikcloud.com/oauth/token" \
-X POST \
-H "Content-type: application/json" \
-d '{"scope":"user_default offline_access","client_id":"string","grant_type":"client_credentials","client_secret":"string"}'
const https = require('https')
  const data = JSON.stringify({"scope":"user_default offline_access","client_id":"string","grant_type":"client_credentials","client_secret":"string"})
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/oauth/token',
    'method': 'POST',
    'headers': {
      'Content-type': 'application/json'
    }
  }
  const req = https.request(options)
  req.write(data)
This API is not included yet in qlik-cli

Request

{
  "scope": "user_default offline_access",
  "client_id": "string",
  "grant_type": "client_credentials",
  "client_secret": "string"
}

Response

{
  "scope": "offline_access user_default",
  "auth_time": 1628524367,
  "expires_at": "1970-01-18T13:17:10.931Z",
  "token_type": "bearer",
  "access_token": "string",
  "refresh_token": "string",
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
}