Manage OAuth clients via API
Qlik Cloud supports the use of OAuth clients for a multitude of use cases, including automation, orchestration, embedded analytics, and more.
To enable the programmatic creation and management of OAuth clients, the oauth-clients
API has been published. This API supports list, retrieve, create, update, and deletion
actions for OAuth clients on a tenant.
A common use case involves OEMs embedding Qlik Cloud, where each new OEM customer lands in their own Qlik Cloud tenant. OAuth M2M impersonation authenticates users from the OEM web app to Qlik Cloud. In this scenario, as part of tenant provisioning, a new OAuth client for machine-to-machine impersonation must be configured.
To deploy a new OAuth machine-to-machine impersonation client:
curl --location "https://<TENANT>/api/v1/oauth-clients" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "{
\"appType\": \"web\",
\"clientName\": \"my-embedded-portal\",
\"description\": \"This is an OAuth client created using API calls.\",
\"allowedScopes\": [
\"user_default\"
],
\"redirectUris\": [
\"https://my-web-app.com/callback\"
],
\"allowedGrantTypes\": [
\"client_credentials\",
\"urn:qlik:oauth:user-impersonation\"
]
}"
This operation returns the definition of the new OAuth client with a 201 status code:
{
"allowedGrantTypes": [
"client_credentials",
"urn:qlik:oauth:user-impersonation"
],
"allowedScopes": [
"user_default"
],
"appType": "web",
"clientId": "<CLIENT_ID>",
"clientName": "my-embedded-portal",
"clientSecret": "<CLIENT_SECRET>",
"clientSecretHint": "e6815",
"clientUri": "",
"createdAt": "2024-03-18T17:26:30.342260287Z",
"description": "This is an OAuth client created using API calls.",
"logoUri": "",
"ownerId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
"redirectUris": [
"https://my-web-app.com/callback"
]
}
To change the consent method to trusted, pass the ID of the new OAuth client into
the path as <CLIENT_ID>:
curl --location --request PATCH "https://<TENANT>/api/v1/oauth-clients/<CLIENT_ID>/connection-configs/me" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
{
\"op\": \"replace\",
\"path\": \"/consentMethod\",
\"value\": \"trusted\"
}
]"
If successful, this returns an empty body and a 204 status code. Once created, your web
application’s back-end can request a new token for each user session with a call
to the existing OAuth API using the credentials
for the OAuth client you just created:
curl --location "https://<TENANT>/oauth/token" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "{
\"client_id\": \"<CLIENT_ID>\",
\"client_secret\": \"<CLIENT_SECRET>\",
\"grant_type\": \"urn:qlik:oauth:user-impersonation\",
\"scope\": \"user_default\",
\"user_lookup\":
{
\"field\": \"userId\",
\"value\": \"6422bad8022070c06d2417bc\"
}
}"
If successful, this returns a 200 status code along with a token. The token
can be used by a client of the OEM embedded application to impersonate
the specified user:
{
"access_token": "eyJhbGci...",
"scope": "user_default",
"token_type": "bearer",
"expires_at": "2024-03-18T00:21:41.000Z",
"expires_in": 21600
}
Learn more about OAuth clients
To discover more about OAuth clients:
- Learn about support and use cases for OAuth clients in Qlik Cloud.
- Visit the
oauth-clientAPI reference to learn about the API.