Using the OAuth clients API to create and manage OAuth clients
Qlik Cloud supports the use of OAuth clients for a multitude of use cases, including automation, orchestration, embedded analytics, and more.
To enable the programmatic creation and management of OAuth clients, the oauth-clients
API has been published. This API supports list, retrieve, create, update, and deletion
actions for OAuth clients on a tenant.
A common use case involves OEMs embedding Qlik Cloud, where each new OEM customer lands in their own Qlik Cloud tenant. OAuth M2M impersonation authenticates users from the OEM web app to Qlik Cloud. In this scenario, as part of tenant provisioning, a new OAuth client for machine-to-machine impersonation must be configured.
To deploy a new OAuth machine-to-machine impersonation client:
curl --location "https://<TENANT>/api/v1/oauth-clients" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "{
\"appType\": \"web\",
\"clientName\": \"my-embedded-portal\",
\"description\": \"This is an OAuth client created using API calls.\",
\"allowedScopes\": [
\"user_default\"
],
\"redirectUris\": [
\"https://my-web-app.com/callback\"
],
\"allowedGrantTypes\": [
\"client_credentials\",
\"urn:qlik:oauth:user-impersonation\"
]
}"
This operation returns the definition of the new OAuth client with a 201
status code:
{
"allowedGrantTypes": [
"client_credentials",
"urn:qlik:oauth:user-impersonation"
],
"allowedScopes": [
"user_default"
],
"appType": "web",
"clientId": "<CLIENT_ID>",
"clientName": "my-embedded-portal",
"clientSecret": "<CLIENT_SECRET>",
"clientSecretHint": "e6815",
"clientUri": "",
"createdAt": "2024-03-18T17:26:30.342260287Z",
"description": "This is an OAuth client created using API calls.",
"logoUri": "",
"ownerId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
"redirectUris": [
"https://my-web-app.com/callback"
]
}
To change the consent method to trusted
, pass the ID of the new OAuth client into
the path as <CLIENT_ID>
:
curl --location --request PATCH "https://<TENANT>/api/v1/oauth-clients/<CLIENT_ID>/connection-configs/me" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
{
\"op\": \"replace\",
\"path\": \"/consentMethod\",
\"value\": \"trusted\"
}
]"
If successful, this returns an empty body and a 204
status code. Once created, your web
application’s back-end can request a new token for each user session with a call
to the existing OAuth API using the credentials
for the OAuth client you just created:
curl --location "https://<TENANT>/oauth/token" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "{
\"client_id\": \"<CLIENT_ID>\",
\"client_secret\": \"<CLIENT_SECRET>\",
\"grant_type\": \"urn:qlik:oauth:user-impersonation\",
\"scope\": \"user_default\",
\"user_lookup\":
{
\"field\": \"userId\",
\"value\": \"6422bad8022070c06d2417bc\"
}
}"
If successful, this returns a 200
status code along with a token. The token
can be used by a client of the OEM embedded application to impersonate
the specified user:
{
"access_token": "eyJhbGci...",
"scope": "user_default",
"token_type": "bearer",
"expires_at": "2024-03-18T00:21:41.000Z",
"expires_in": 21600
}
Learn more about OAuth clients
To discover more about OAuth clients:
- Learn about support and use cases for OAuth clients in Qlik Cloud.
- Visit the
oauth-client
API reference to learn about the API.