OAuth2 is an authorization standard used heavily by cloud applications to allow them to access resources on other web applications on behalf of a user. According to this blog on Auth0's website: "OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user's credentials."
Resource owner: The Qlik Cloud user or tenant who owns the content or information to be shared.
Client: The client is the web application or software requesting access to resources in Qlik Cloud on a user's behalf.
Access tokens: Access tokens are encrypted strings clients use to access resources from a Qlik Cloud tenant.
Authorization server: The Qlik Cloud tenant that provides access tokens to registered clients upon a successful authentication and consent flow by the owner of the resources to be accessed.
Resource server: In Qlik Cloud, this is another component on the tenant that validates the access token sent by the client and authorizes the client to access the resources.
Qlik Cloud implements OAuth2 to authorize external applications to access content and metadata hosted on tenants. Use cases include:
Embedding visualizations and data from Qlik Sense applications in web applications.
Access to the management and administration capabilities of Qlik Cloud to integrate data and analytics workflow with external applications and devops processes.
Integrating Qlik Cloud directly into cloud application onboarding flows so that partners can provision, configure, and hydrate analytics alongside their host applications.
Support authorization within other Qlik applications like the mobile app and qlik-cli.
Qlik Cloud supports confidential and public clients depending on the selected client type in a registration entry. Confidential applications require a trusted backend server to hold the credentials provided by a tenant, which includes a Client Id and a Client Secret. A public application cannot store credentials in a secure way, therefore, only a Client Id is needed to authorize an application to work with Qlik Cloud. You can learn more about confidential and public applications here.
Web Application: Apps where the application logic of the client runs mostly on the server-side. Web application OAuth registrations are confidential clients, therefore, they require a backend server to store credentials.
Machine-to-Machine application: Apps acting as bots or external service workers requiring access to Qlik Cloud tenants to perform management or administrative functions. M2M applications are confidential clients requiring secure access to the Client Id and Client Secret to function.
Native application: Apps that run natively on a device like a computer or mobile phone. Native apps are usually confidential clients requiring both the Client Id and Client Secret.
Web application OAuth2 clients handle token exchange on the backend server where the application is hosted. They require the end user to authenticate to the web application, and from there the web application communicates with Qlik Cloud to authorize the web application to access content on behalf of the user logged into the web application.
Web OAuth2 clients use the
Authorization Code flow to authorize with Qlik
Cloud. Web OAuth2 clients request an authorization token from the
endpoint using the
Client ID and
Client Secret values to authenticate to Qlik
Cloud. The authorization token returned to the web application is used to make a
another request for the user's access token from the
The sequence of requests and responses for Web applications and Qlik Cloud.
Machine-to-Machine (M2M) enabled OAuth2 clients are a powerful and secure way to manage and automate operations on your Qlik Cloud tenant. They require no user interaction and have the Tenant Admin role, which gives you complete control over your tenant.
M2M OAuth2 clients use
Client Credentials flow to authorize with the Qlik Cloud
authorization server. M2M OAuth2 clients pass
Client ID and
Client Secret fields in the
request body to the
/oauth/token endpoint. The authorization server validates the
credentials and responds back with an
Access Token, which the application can use
in making API requests.
You can create M2M client registrations using the
Web option in the OAuth2
Single-page applications and native applications (for example, mobile apps) use the
Authorization Code flow but with an additional component called
Proof Key for Code Exchange, or
PKCE, because these applications cannot
Client Secret in a secure way on the front-end. With the
flow, a secret is exchanged between the application and the authorization
server called the
Code Verifier. This code is transformed into a
Code Challenge and sent to the
/oauth/authorize endpoint and receives an
authorization code in return. Without the code verifier, an attacker cannot
exchange the authorization code for an access token from the
Here is an example sequence diagram for a single-page application with embedded content from Qlik Cloud.
When you register an OAuth2 client on your tenant, you will receive a Client ID to embed into your web application so it is recognized by your tenant when it requests access to resources. If you register a confidential client, you will receive a Client Secret as well, which is required to make authorized connections to your tenant.
Authorizing an external application to access resources on a tenant requires you to register an OAuth2 client for your application. You can register OAuth2 clients in the management console.