OAuth2 Overview

Introduction

OAuth2 is an authorization standard used heavily by cloud applications to allow them to access resources on other web applications on behalf of a user. According to this blog on Auth0’s website: “OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user’s credentials.”

OAuth2 terms

• Resource owner: The Qlik Cloud user or tenant who owns the content or information to be shared.

• Client: The client is the web application or software requesting access to resources in Qlik Cloud on a user’s behalf.

• Access tokens: Access tokens are encrypted strings clients use to access resources from a Qlik Cloud tenant.

• Authorization server: The Qlik Cloud tenant that provides access tokens to registered clients upon a successful authentication and consent flow by the owner of the resources to be accessed.

• Resource server: In Qlik Cloud, this is another component on the tenant that validates the access token sent by the client and authorizes the client to access the resources.

• Scopes: OAuth2 scopes are strings provided to APIs, so that they know whether to grant access to the type of data and operation requested.

What can you do with OAuth2 on Qlik Cloud?

Qlik Cloud implements OAuth2 to authorize external applications to access content and metadata hosted on tenants. Use cases include:

• Embedding visualizations and data from Qlik Sense applications in web applications.

• Access to the management and administration capabilities of Qlik Cloud to integrate data and analytics workflow with external applications and devops processes.

• Integrating Qlik Cloud directly into cloud application onboarding flows so that partners can provision, configure, and hydrate analytics alongside their host applications.

• Support authorization within other Qlik applications like the mobile app and qlik-cli.

What types of OAuth2 clients does Qlik Cloud support?

Qlik Cloud supports confidential and public clients depending on the selected client type in a registration entry. Confidential applications require a trusted backend server to hold the credentials provided by a tenant, which includes a Client Id and a Client Secret. A public application cannot store credentials in a secure way, therefore, only a Client Id is needed to authorize an application to work with Qlik Cloud. You can learn more about confidential and public applications here.

What OAuth2 application types does Qlik Cloud support?

• Web Application: Apps where the application logic of the client runs mostly on the server-side. Web application OAuth registrations are confidential clients, therefore, they require a backend server to store credentials.

• Machine-to-Machine application: Apps acting as bots or external service workers requiring access to Qlik Cloud tenants to perform management or administrative functions. M2M applications are confidential clients requiring secure access to the Client Id and Client Secret to function.

• Machine-to-Machine impersonation application: An extension to M2M, this application type involves apps acting as users during authentication to perform any function the user has permission to perform. It also operates as a confidential client, but with additional user information required to impersonate a Qlik Cloud tenant user.

• Single page application: Apps usually written in JavaScript where the user interface logic is executed in a web browser. SPAs are public clients and do not require a backend for authorization purposes.

• Native application: Apps that run natively on a device like a computer or mobile phone. Native apps are usually confidential clients requiring both the Client Id and Client Secret.

How does OAuth2 work on Qlik Cloud?

Web OAuth2 client applications

Web application OAuth2 clients handle token exchange on the backend server where the application is hosted. They require the end user to authenticate to the web application, and from there the web application communicates with Qlik Cloud to authorize the web application to access content on behalf of the user logged into the web application.

Web OAuth2 clients use the Authorization Code flow to authorize with Qlik Cloud. Web OAuth2 clients request an authorization token from the /oauth/authorize endpoint using the Client ID and Client Secret values to authenticate to Qlik Cloud. The authorization token returned to the web application is used to make a another request for the user’s access token from the /oauth/token endpoint.

The sequence of requests and responses for Web applications and Qlik Cloud.

Machine-to-Machine OAuth2 client applications

Machine-to-Machine (M2M) enabled OAuth2 clients are a powerful and secure way to manage and automate operations on your Qlik Cloud tenant. They require no user interaction and have the Tenant Admin role, which gives you complete control over your tenant.

M2M OAuth2 clients use Client Credentials flow to authorize with the Qlik Cloud authorization server. M2M OAuth2 clients pass Client ID and Client Secret fields in the request body to the /oauth/token endpoint. The authorization server validates the credentials and responds back with an Access Token, which the application can use in making API requests.

You can create M2M client registrations using the Web option in the OAuth2 client configuration.

Machine-to-Machine OAuth2 Impersonation client applications

M2M Impersonation enhances automation and management within your Qlik Cloud tenant. With user impersonation enabled, OAuth2 web clients can seamlessly emulate user actions based on their existing roles. This allows for authentication of users without requiring their interaction.

To authenticate, OAuth2 clients use the Impersonation flow, which is similar to Client Credentials but with a different Grant Type. Clients submit the Client ID, Client Secret, and an additional User Lookup parameter in the request body to the /oauth/token endpoint. With the User Lookup parameter you can specify the user to impersonate by either userId or subject. The authorization server validates the credentials and responds back with an Access Token, which the application can use to make API requests. This token can also be used from a web browser, given that the origin used is allowlisted in the OAuth2 client.

Create M2M impersonation client registrations using the Web option in the OAuth2 client configuration. Configure Allowed Origins if you plan on using the access tokens from a browser.

Single-Page and Native OAuth2 client applications

Browser and device-based applications like single-page and native applications use JavaScript APIs to update the user interface without needing to contact a back-end. Qlik Cloud analytics content can be integrated easily into single-page applications using the platform’s embedding APIs.

Single-page applications and native applications (for example, mobile apps) use the Authorization Code flow but with an additional component called Proof Key for Code Exchange, or PKCE, because these applications cannot store the Client Secret in a secure way on the front-end. With the PKCE flow, a secret is exchanged between the application and the authorization server called the Code Verifier. This code is transformed into a Code Challenge and sent to the /oauth/authorize endpoint and receives an authorization code in return. Without the code verifier, an attacker cannot exchange the authorization code for an access token from the /oauth/token endpoint.

Here is an example sequence diagram for a single-page application with embedded content from Qlik Cloud.

Registering an OAuth client

When you register an OAuth2 client on your tenant, you will receive a Client ID to embed into your web application so it is recognized by your tenant when it requests access to resources. If you register a confidential client, you will receive a Client Secret as well, which is required to make authorized connections to your tenant.

Authorizing an external application to access resources on a tenant requires you to register an OAuth2 client for your application. You can register OAuth2 clients in the management console.