Changelog

When you embed Qlik Cloud into your web applications, you likely require an authentication strategy that mitigates the blocking of third-party cookies by browsers.

Qlik is introducing support for OAuth impersonation tokens, which can be generated using a confidential OAuth machine-to-machine client for users in your Qlik Cloud tenant. Impersonation tokens are ideal for scenarios where:

• The identity provider for your web application does not match the one configured for your Qlik Cloud tenant.
• You wish to handle authentication on your backend.
• You wish to avoid client-side redirects in the browser.

If you intend to implement a client-side (front-end) authentication strategy or if your web application does not have a back-end component, you should leverage OAuth SPA for your application.

Considerations if moving from JWT

This capability provides a comparable experience to using JWT to authenticate from a web application to Qlik Cloud, with the benefit of not being blocked by third-party cookie restrictions.

The key difference is that OAuth impersonation requires that users already exist in the tenant and uses pre-existing user group mappings, rather than supporting update of groups on the fly during token requests. This means that:

• Users must exist in the tenant prior to requesting an impersonation token. You can accomplish this with qlik-api as part of the login flow.
• You cannot update user-to-group mappings when requesting the impersonation token. If you wish to leverage groups for your security model, you should first impersonate a user login on the backend using JWT to associate the required groups with your user.

Learn more about OAuth impersonation

To discover more:

• Review the guiding principles for using OAuth impersonation in Qlik Cloud.
• Learn how to create a new client for requesting impersonation tokens.
• Explore how to retrieve impersonation tokens.