OAuth

This API is used to interact with Edge Auth resources in Qlik elastic environments.

Endpoints

Skip to section
GET/oauth/authorize
POST/oauth/revoke
POST/oauth/token

Allows a client application to use an OAuth flow to request user authorization.

authenticate

Facts GET /oauth/authorize

Rate limit
required
Tier 1 (1000 requests per minute)

Query Parameters GET /oauth/authorize

client_id
required
string

The client identifier.

code_challenge_method
required
string

The algorithm that client used for generating code_challenge, only S256 is supported for now.

Enum:

S256

redirect_uri
required
string

Relative or full URL to redirect to after successful login.

response_type
required
string

Describes the grant flow to use.

scope
required
Array<>

The scope of access that is being requested.

Enum:

user_default

offline_access

state
required
string

State parameter to roundtrip to client in final redirect.

code_challenge
string

The code challenge created by the client.

max_age
number

Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OpenID Provider.

prompt
string

Specifies whether the Authorization Server prompts the End-User for re-authentication and consent.

Responses GET /oauth/authorize

302
text/html
string

Redirect to the identity provider or back to the redirect_uri if an error occurs. On error the redirect will follow the OAuth2 RFC section 4.1.2.1 (https://tools.ietf.org/html/rfc6749#section-4.1.2.1) with an additional error_code parameter with the internal error code. When a detail is known for the error it will be included as error_detail.

400
application/json

Invalid client_id or redirect_uri.

GET/oauth/authorize

curl "https://your-tenant.us.qlikcloud.com/oauth/authorize"

Allows a client to revoke their token

authenticate

Facts POST /oauth/revoke

Rate limit
required
Tier 2 (100 requests per minute)

Request Body POST /oauth/revoke

application/json

Properties of the token that the client wants to revoke.

application/x-www-form-urlencoded

Properties of the token that the client wants to revoke.

Responses POST /oauth/revoke

200
application/json
object

Token was revoked.

400
application/json

Invalid request.

POST/oauth/revoke

curl "https://your-tenant.us.qlikcloud.com/oauth/revoke" \
 -X POST \
 -H "Content-type: application/json" \
 -d '{"token":"string","token_type_hint":"access_token"}'

Request POST /oauth/revoke

{
  "token": "string",
  "token_type_hint": "access_token"
}

Allows a client to perform an OAuth flow to obtain a token set.

authenticate

Facts POST /oauth/token

Rate limit
required
Tier 2 (100 requests per minute)

Request Body POST /oauth/token

application/json

No description

application/x-www-form-urlencoded

No description

Responses POST /oauth/token

200
application/json

Token set created.

400
application/json

Invalid request parameters.

401
application/json

Invalid login or tokens, indicates that code or token used can be deleted by the client. Also could be invalid client credentials provided in Authorization header.

403
application/json

Forbidden because user is disabled or has reached the maximum number of tokens.

POST/oauth/token

curl "https://your-tenant.us.qlikcloud.com/oauth/token" \
 -X POST \
 -H "Content-type: application/json"

Response POST /oauth/token

{
  "scope": "offline_access user_default",
  "auth_time": 1628524367,
  "expires_at": "1970-01-18T13:17:10.931Z",
  "token_type": "bearer",
  "access_token": "string",
  "refresh_token": "string",
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
}

Error

object

An error object.

Properties

code
required
string

The error code.

meta
object

Non-standard information about the error.

title
required
string

The error title.

detail
string

The detailed error message.

status
string

The http status code.

Errors

object

A representation of the errors encountered from the HTTP request.

Properties

errors

List of errors and their properties.

oauth-authorization-code-request

Properties

code
required
string

The authorization code created by the server.

client_id
required
string

The client identifier.

deviceType
string

The type of the user device the authorization token is generated for (Tablet, Phone etc.).

grant_type
required
string

The grant type used to exchange an authorization code for an access token.

Enum:

authorization_code

description
string

A user-friendly description to distinguish between multiple tokens.

redirect_uri
required
string

The original redirect URI provided during authorization. For verification purposes only.

client_secret
string

The client secret.

code_verifier
required
string

Required when grant_type is "authorization_code". The code verifier to verify original code challenge created by the client. It must be between 43 and 128 characters long and consists of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"

oauth-client-credentials-request

Properties

scope
string

The scope of access that is being requested.

Enum:

user_default

grant_type
required
string

The grant type used to obtain an access token outside of the context of a user.

Enum:

client_credentials

oauth-refresh-request

Properties

grant_type
required
string

The grant type used to exchange a refresh token for an access token.

Enum:

refresh_token

client_secret
string

The client secret.

refresh_token
required
string

The refresh token to use.

oauth-revoke-request

object

Properties

token
required
string

The token to revoke.

token_type_hint
string

Type of the provided token.

Enum:

access_token

refresh_token

oauth-token-exchange

Exchanges one token for another. Implementation is based on this spec: https://datatracker.ietf.org/doc/html/rfc8693.

Properties

purpose
required
string

The intended use for the requested token.

Enum:

websocket

webresource

client_id
required
string

The client identifier.

grant_type
required
string

Specifies the method in which the token will be granted.

Enum:

urn:ietf:params:oauth:grant-type:token-exchange

subject_token
required
string

The token that represents the identity of the party on behalf of whom the request is being made.

subject_token_type
required
string

The type of the subject token.

Enum:

urn:ietf:params:oauth:token-type:access_token

oauth-token-response

object

Properties

scope
string

The scope of access that is being granted, delimited by space.

auth_time
number

Unix time of when the last authentication occurred.

expires_at
string<date-time>

The date and time in ISO format for when the access token will expire.

token_type
required
string

The type of the token issued.

Enum:

bearer

access_token
required
string

The access token granted.

refresh_token
string

Refresh token to be used to obtain a new access token without user intervention.

issued_token_type
string

The type of the token issued for a token exchange. See https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.1 for more details.

Enum:

urn:ietf:params:oauth:token-type:access_token

v0.879.8
Was this page helpful?