Allows a client application to use an OAuth flow to request user authorization.
Facts
Rate limit | Tier 1 (1000 requests per minute) |
Categories | authenticate |
Query Parameters
- client_idstringRequired
The client identifier.
- code_challenge_methodstringRequired
The algorithm that client used for generating code_challenge, only S256 is supported for now.
Can be one of: "S256"
- redirect_uristringRequired
Relative or full URL to redirect to after successful login.
- response_typestringRequired
Describes the grant flow to use.
- scopearrayRequired
The scope of access that is being requested.
Can be one of: "user_default""offline_access"
- statestringRequired
State parameter to roundtrip to client in final redirect.
- code_challengestring
The code challenge created by the client.
- max_agenumber
Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OpenID Provider.
- promptstring
Specifies whether the Authorization Server prompts the End-User for re-authentication and consent.
Responses
302
text/html
Redirect to the identity provider or back to the redirect_uri if an error occurs. On error the redirect will follow the OAuth2 RFC section 4.1.2.1 (https://tools.ietf.org/html/rfc6749#section-4.1.2.1) with an additional error_code parameter with the internal error code. When a detail is known for the error it will be included as error_detail.
- text/htmlstring
400
application/json
Invalid client_id or redirect_uri.
A representation of the errors encountered from the HTTP request.
- application/jsonobject
A representation of the errors encountered from the HTTP request.
application/json properties
- errorsarray of objects
-
curl "https://your-tenant.us.qlikcloud.com/oauth/authorize"
const https = require('https')
const data = JSON.stringify("")
const options = {
'hostname': 'https://your-tenant.us.qlikcloud.com',
'port': 443,
'path': '/oauth/authorize',
'method': 'GET',
'headers': {}
}
const req = https.request(options)
This API is not included yet in qlik-cli
Allows a client to revoke their token.
Facts
Rate limit | Tier 2 (100 requests per minute) |
Categories | authenticate |
Request Body
Requiredapplication/json
Properties of the token that the client wants to revoke.
- application/jsonobject
application/json properties
- tokenstringRequired
The token to revoke.
- token_type_hintstring
Type of the provided token.
Can be one of: "access_token""refresh_token"
-
application/x-www-form-urlencoded
Properties of the token that the client wants to revoke.
- application/x-www-form-urlencodedobject
application/x-www-form-urlencoded properties
- tokenstringRequired
The token to revoke.
- token_type_hintstring
Type of the provided token.
Can be one of: "access_token""refresh_token"
-
Responses
200
Token was revoked.
400
application/json
Invalid request.
A representation of the errors encountered from the HTTP request.
- application/jsonobject
A representation of the errors encountered from the HTTP request.
application/json properties
- errorsarray of objects
-
curl "https://your-tenant.us.qlikcloud.com/oauth/revoke" \
-X POST \
-H "Content-type: application/json" \
-d '{"token":"string","token_type_hint":"access_token"}'
const https = require('https')
const data = JSON.stringify({"token":"string","token_type_hint":"access_token"})
const options = {
'hostname': 'https://your-tenant.us.qlikcloud.com',
'port': 443,
'path': '/oauth/revoke',
'method': 'POST',
'headers': {
'Content-type': 'application/json'
}
}
const req = https.request(options)
req.write(data)
This API is not included yet in qlik-cli
Request
{
"token": "string",
"token_type_hint": "access_token"
}
Allows a client to perform an OAuth flow to obtain a token set.
Facts
Rate limit | Tier 2 (100 requests per minute) |
Categories | authenticate |
Request Body
application/json
- application/jsonobjectOne of:
- oauth-client-credentials-requestobject
oauth-client-credentials-request properties
- scopestring
The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes
- grant_typestringRequired
The grant type used to obtain an access token outside of the context of a user.
Can be one of: "client_credentials"
-
- oauth-refresh-requestobject
oauth-refresh-request properties
- grant_typestringRequired
The grant type used to exchange a refresh token for an access token.
Can be one of: "refresh_token"
- client_secretstring
The client secret.
- refresh_tokenstringRequired
The refresh token to use.
-
- oauth-authorization-code-requestobject
oauth-authorization-code-request properties
- codestringRequired
The authorization code created by the server.
- client_idstringRequired
The client identifier.
- deviceTypestring
The type of the user device the authorization token is generated for (Tablet, Phone etc.).
- grant_typestringRequired
The grant type used to exchange an authorization code for an access token.
Can be one of: "authorization_code"
- descriptionstring
A user-friendly description to distinguish between multiple tokens.
- redirect_uristringRequired
The original redirect URI provided during authorization. For verification purposes only.
- client_secretstring
The client secret.
- code_verifierstringRequired
Required when grant_type is "authorization_code". The code verifier to verify original code challenge created by the client. It must be between 43 and 128 characters long and consists of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
-
- oauth-token-exchangeobject
Exchanges one token for another. Implementation is based on this spec: https://datatracker.ietf.org/doc/html/rfc8693.
oauth-token-exchange properties
- purposestringRequired
The intended use for the requested token.
Can be one of: "websocket""webresource"
- client_idstringRequired
The client identifier.
- grant_typestringRequired
Specifies the method in which the token will be granted.
Can be one of: "urn:ietf:params:oauth:grant-type:token-exchange"
- subject_tokenstringRequired
The token that represents the identity of the party on behalf of whom the request is being made.
- subject_token_typestringRequired
The type of the subject token.
Can be one of: "urn:ietf:params:oauth:token-type:access_token"
-
- oauth-user-impersonation-requestobject
oauth-user-impersonation-request properties
- scopestring
The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes
- client_idstringRequired
The client identifier.
- grant_typestringRequired
The grant type used to obtain an access token on behalf of an existing user.
Can be one of: "urn:qlik:oauth:user-impersonation"
- user_lookupobjectRequired
user_lookup properties
- fieldstringRequired
The identifier to impersonate the user by.
Can be one of: "subject""userId"
- valuestringRequired
The value of the identifier to impersonate the user by.
-
- client_secretstringRequired
The client secret.
-
-
application/x-www-form-urlencoded
- application/x-www-form-urlencodedobjectOne of:
- oauth-client-credentials-requestobject
oauth-client-credentials-request properties
- scopestring
The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes
- grant_typestringRequired
The grant type used to obtain an access token outside of the context of a user.
Can be one of: "client_credentials"
-
- oauth-refresh-requestobject
oauth-refresh-request properties
- grant_typestringRequired
The grant type used to exchange a refresh token for an access token.
Can be one of: "refresh_token"
- client_secretstring
The client secret.
- refresh_tokenstringRequired
The refresh token to use.
-
- oauth-authorization-code-requestobject
oauth-authorization-code-request properties
- codestringRequired
The authorization code created by the server.
- client_idstringRequired
The client identifier.
- deviceTypestring
The type of the user device the authorization token is generated for (Tablet, Phone etc.).
- grant_typestringRequired
The grant type used to exchange an authorization code for an access token.
Can be one of: "authorization_code"
- descriptionstring
A user-friendly description to distinguish between multiple tokens.
- redirect_uristringRequired
The original redirect URI provided during authorization. For verification purposes only.
- client_secretstring
The client secret.
- code_verifierstringRequired
Required when grant_type is "authorization_code". The code verifier to verify original code challenge created by the client. It must be between 43 and 128 characters long and consists of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
-
- oauth-token-exchangeobject
Exchanges one token for another. Implementation is based on this spec: https://datatracker.ietf.org/doc/html/rfc8693.
oauth-token-exchange properties
- purposestringRequired
The intended use for the requested token.
Can be one of: "websocket""webresource"
- client_idstringRequired
The client identifier.
- grant_typestringRequired
Specifies the method in which the token will be granted.
Can be one of: "urn:ietf:params:oauth:grant-type:token-exchange"
- subject_tokenstringRequired
The token that represents the identity of the party on behalf of whom the request is being made.
- subject_token_typestringRequired
The type of the subject token.
Can be one of: "urn:ietf:params:oauth:token-type:access_token"
-
- oauth-user-impersonation-requestobject
oauth-user-impersonation-request properties
- scopestring
The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes
- client_idstringRequired
The client identifier.
- grant_typestringRequired
The grant type used to obtain an access token on behalf of an existing user.
Can be one of: "urn:qlik:oauth:user-impersonation"
- user_lookupobjectRequired
user_lookup properties
- fieldstringRequired
The identifier to impersonate the user by.
Can be one of: "subject""userId"
- valuestringRequired
The value of the identifier to impersonate the user by.
-
- client_secretstringRequired
The client secret.
-
-
Responses
200
application/json
Token set created.
- application/jsonobject
application/json properties
- scopestring
The scope of access that is being granted, delimited by space.
- auth_timenumber
Unix time of when the last authentication occurred.
- expires_atstring
The date and time in ISO format for when the access token will expire.
- token_typestringRequired
The type of the token issued.
Can be one of: "bearer"
- access_tokenstringRequired
The access token granted.
- refresh_tokenstring
Refresh token to be used to obtain a new access token without user intervention.
- issued_token_typestring
The type of the token issued for a token exchange. See https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.1 for more details.
Can be one of: "urn:ietf:params:oauth:token-type:access_token"
-
400
application/json
Invalid request parameters.
A representation of the errors encountered from the HTTP request.
- application/jsonobject
A representation of the errors encountered from the HTTP request.
application/json properties
- errorsarray of objects
-
401
application/json
Invalid login or tokens, indicates that code or token used can be deleted by the client. Also could be invalid client credentials provided in Authorization header.
A representation of the errors encountered from the HTTP request.
- application/jsonobject
A representation of the errors encountered from the HTTP request.
application/json properties
- errorsarray of objects
-
403
application/json
Forbidden because user is disabled or has reached the maximum number of tokens.
A representation of the errors encountered from the HTTP request.
- application/jsonobject
A representation of the errors encountered from the HTTP request.
application/json properties
- errorsarray of objects
-
curl "https://your-tenant.us.qlikcloud.com/oauth/token" \
-X POST \
-H "Content-type: application/json" \
-d '{"scope":"user_default offline_access","grant_type":"client_credentials"}'
const https = require('https')
const data = JSON.stringify({"scope":"user_default offline_access","grant_type":"client_credentials"})
const options = {
'hostname': 'https://your-tenant.us.qlikcloud.com',
'port': 443,
'path': '/oauth/token',
'method': 'POST',
'headers': {
'Content-type': 'application/json'
}
}
const req = https.request(options)
req.write(data)
This API is not included yet in qlik-cli
Request
{
"scope": "user_default offline_access",
"grant_type": "client_credentials"
}
Response
{
"scope": "offline_access user_default",
"auth_time": 1628524367,
"expires_at": "1970-01-18T13:17:10.931Z",
"token_type": "bearer",
"access_token": "string",
"refresh_token": "string",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
}