Get started with OAuth machine-to-machine

Overview

Machine-to-Machine (M2M) enabled OAuth clients are a powerful and secure way to manage and automate operations on your Qlik Cloud tenant. They require no user interaction and have the Tenant Admin role, which gives you complete control over your tenant.

M2M OAuth clients use Client Credentials Flow to authenticate with the Qlik Cloud authorization server. OAuth clients pass Client ID and Client Secret fields in the request body to the /oauth/token endpoint. The authorization server validates the credentials and responds back with an Access Token, which the application can use in making API requests.

In this tutorial, you will learn how to use M2M enabled OAuth clients with:

• Qlik-CLI
• Python SDK
• Qlik-API
• REST calls

Prerequisites

• OAuth client with M2M flow enabled. Create an OAuth Client
• Qlik-CLI installed on your machine. Get started with Qlik-CLI
• Qlik Python SDK. Python
• Qlik Typescript API. TypeScript

Using OAuth clients with Qlik-CLI

Qlik-CLI allows you to authenticate to your tenant using an OAuth M2M client.

You can initialize a new context using the following command:

qlik context init <context name>

Then, enter your tenant URL.

Acquiring access to Qlik Cloud

Specify your tenant URL, usually in the form: https://<tenant>.<region>.qlikcloud.com
Where <tenant> is the name of the tenant and <region> is eu, us, ap, and so forth.
Enter tenant url:

Then, you need to choose OAuth for the authentication type.

Specify what type of authentication should be used i.e API-Key (A) or OAuth (O). Default is API-Key (A).
A/O?: O

Then, provide the OAuth Client ID and Client Secret.

To complete this setup, you must have a Client ID and Client Secret for OAuth. If you’re unsure, you can ask your tenant administrator or go to Get started with Qlik-CLI.

Client ID: <my-client-id>

Client Secret: <my-client-secret>

The context is now ready to use. Start by executing qlik-cli commands.

qlik user me

Qlik API

Install @qlik/api using:

npm i @qlik/api

Next, create a JavaScript (.js) file and paste the following code in it. Remember to modify it to include your host, clientId, and clientSecret you obtained previously.

import { auth, spaces } from "@qlik/api";

const hostConfig = {
  host: "your-tenant.region.qlikcloud.com",
  authType: "oauth2",
  clientId: "<client-id>",
  clientSecret "<client-secret>",
};

auth.setDefaultHostConfig(hostConfig);

async function main() {
  const { data: mySpaces } = await spaces.getSpaces({});
  console.log(mySpaces.data); // the data response (list of spaces)
}

await main();

Run the JavaScript file you previously created. The response will have a JSON object containing the user’s information.

Python

Install the SDK using:

python3 -m pip install --upgrade qlik-sdk

Next, create a Python (.py) file and paste the following code in it. Remember to modify it to include your host, clientId, and clientSecret you obtained previously.

from qlik_sdk import Auth, AuthType, Config

# define your OAuth client
client = Auth(
    config=Config(
        auth_type=AuthType.OAuth2,
        host=<YOUR_TENANT_HOST>,
        client_id=<YOUR_OAUTH_M2M_CLIENT_ID>,
        client_secret=<YOUR_OAUTH_M2M_CLIENT_SECRET>,
    )
)

# authorize the client
client.authorize()

# test the client by making a REST call.
# in this example we are using the '/users/me'
# endpoint. It will return a JSON object
# containing the user's information.
response = client.rest(path="/users/me")

Run the Python file you previously created. The response will have the user’s information.

Making REST Calls

Note: This section doesn’t require the Qlik SDK.

You can make REST calls with the M2M OAuth client. First, you need to obtain an access token.

curl POST 'https://<tenant>.<region>.qlikcloud.com/oauth/token' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--data-raw '{
    "client_id": <OAUTH_M2M_CLIENT_ID>,
    "client_secret": <OAUTH_M2M_CLIENT_SECRET>,
    "grant_type": "client_credentials"
}'

You will get a response, similar to the one below, which contains an access_token that you can use to make REST calls.

{
    "access_token": "eyJhbGciOiJFUzM4NCIsInR...",
    "token_type": "bearer",
    "expires_at": "2022-11-11T01:08:54.000Z",
    "expires_in": 21600
}

Next, you can use the token you created to make REST calls. In this example you are calling the /api/v1/tenants/me endpoint, which will return a JSON object containing the tenant’s information.

curl --location --request GET 'https://<tenant>.<region>.qlikcloud.com/api/v1/tenants/me' \
--header 'Authorization: Bearer <ACCESS_TOKEN>'