Using the OAuth clients API to create and manage OAuth clients

Qlik Cloud supports the use of OAuth clients for a multitude of use cases, including automation, orchestration, embedded analytics, and more.

To enable the programmatic creation and management of OAuth clients, the oauth-clients API has been published. This API supports list, retrieve, create, update, and deletion actions for OAuth clients on a tenant.

A common use case involves OEMs embedding Qlik Cloud, where each new OEM customer lands in their own Qlik Cloud tenant. OAuth M2M impersonation authenticates users from the OEM web app to Qlik Cloud. In this scenario, as part of tenant provisioning, a new OAuth client for machine-to-machine impersonation must be configured.

To deploy a new OAuth machine-to-machine impersonation client:

curl --location "https://<TENANT>/api/v1/oauth-clients" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "{
    \"appType\": \"web\",
    \"clientName\": \"my-embedded-portal\",
    \"description\": \"This is an OAuth client created using API calls.\",
    \"allowedScopes\": [
        \"user_default\"
    ],
    \"redirectUris\": [
        \"https://my-web-app.com/callback\"
    ],
    \"allowedGrantTypes\": [
        \"client_credentials\",
        \"urn:qlik:oauth:user-impersonation\"
    ]
}"

This operation returns the definition of the new OAuth client with a 201 status code:

{
    "allowedGrantTypes": [
        "client_credentials",
        "urn:qlik:oauth:user-impersonation"
    ],
    "allowedScopes": [
        "user_default"
    ],
    "appType": "web",
    "clientId": "<CLIENT_ID>",
    "clientName": "my-embedded-portal",
    "clientSecret": "<CLIENT_SECRET>",
    "clientSecretHint": "e6815",
    "clientUri": "",
    "createdAt": "2024-03-18T17:26:30.342260287Z",
    "description": "This is an OAuth client created using API calls.",
    "logoUri": "",
    "ownerId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
    "redirectUris": [
        "https://my-web-app.com/callback"
    ]
}

To change the consent method to trusted, pass the ID of the new OAuth client into the path as <CLIENT_ID>:

curl --location --request PATCH "https://<TENANT>/api/v1/oauth-clients/<CLIENT_ID>/connection-configs/me" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
  {
    \"op\": \"replace\",
    \"path\": \"/consentMethod\",
    \"value\": \"trusted\"
  }
]"

If successful, this returns an empty body and a 204 status code. Once created, your web application’s back-end can request a new token for each user session with a call to the existing OAuth API using the credentials for the OAuth client you just created:

curl --location "https://<TENANT>/oauth/token" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "{
    \"client_id\": \"<CLIENT_ID>\",
    \"client_secret\": \"<CLIENT_SECRET>\",
    \"grant_type\": \"urn:qlik:oauth:user-impersonation\",
    \"scope\": \"user_default\",
    \"user_lookup\": 
        {
            \"field\": \"userId\",
            \"value\": \"6422bad8022070c06d2417bc\"
        }
    
}"

If successful, this returns a 200 status code along with a token. The token can be used by a client of the OEM embedded application to impersonate the specified user:

{
    "access_token": "eyJhbGci...",
    "scope": "user_default",
    "token_type": "bearer",
    "expires_at": "2024-03-18T00:21:41.000Z",
    "expires_in": 21600
}

Learn more about OAuth clients

To discover more about OAuth clients:

ON THIS PAGE

Was this page helpful?