Build a simple Java OAuth client to access Qlik Sense SaaS

1 Introduction

This tutorial shows you how to use the Java OAuth Spring client with Qlik Sense. SaaS.

2 Prerequisites

For this tutorial you will need:

  1. A client Id and Client Secret created from the management console.
  2. A development environment prepared with JDK 11+ and maven 3.6+.

3 Setup

3.1 Spring Dependencies

In your project's pom.xml file, include the following dependencies

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-webflux</artifactId>
</dependency>

3.2 Spring Configuration

In your application.properties, define the following configurations. Change the configuration in bold. Make sure the spring.security.oauth2.client.registration.qlik.redirectUri is in your identity provider allowed list of redirect URLs. Change CLIENT_ID, CLIENT_SECRET, your.tenant.domain, and you.project.domain to your own values.

# the name of the OAuth2 provider
spring.security.oauth2.client.registration.qlik.provider=qlik
# the scopes to use when requesting the authorization
spring.security.oauth2.client.registration.qlik.scope=user_default
# OAuth2 client Id
spring.security.oauth2.client.registration.qlik.clientId=CLIENT_ID
# OAuth2 client secret
spring.security.oauth2.client.registration.qlik.clientSecret=CLIENT_SECRET
# the used authentication method
spring.security.oauth2.client.registration.qlik.clientAuthenticationMethod=client_secret_post
# the used authorization grant type
spring.security.oauth2.client.registration.qlik.authorizationGrantType=authorization_code
# the redirect url after successfully logging
spring.security.oauth2.client.registration.qlik.redirectUri=https://you.project.domain/login/oauth2/code/qlik
# user's information uri
spring.security.oauth2.client.provider.qlik.userInfoUri=https://your.tenant.domain/api/v1/users/me
# the field name of the name attribute in the user's information response
spring.security.oauth2.client.provider.qlik.userNameAttribute=name
# the authorization endpoint uri
spring.security.oauth2.client.provider.qlik.authorization-uri=https://your.tenant.domain/oauth/authorize
# the token endpoint uri
spring.security.oauth2.client.provider.qlik.token-uri=https://your.tenant.domain/oauth/token

3.3 Spring Web Filter Configuration

Enable the Spring web security component by using @EnableWebFluxSecurity in your configuration class. In your SecurityWebFilterChain configuration bean, make sure to enable oauth2Login(). This requires users to authenticate using OAuth. White list any endpoints that do not require authentication in pathMatchers("/").permitAll(). All other endpoints will be protected by using anyExchange().authenticated(). It is also recommended to provide a custom AuthorizationRequestResolver that uses Proof Key for Code Exchange (PKCE) flow. See the example below:

SecurityWebFilterChain Example
@Bean
public SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
    return http.authorizeExchange()
        .pathMatchers("/").permitAll() // allows any request to "/"
        .anyExchange().authenticated() // all other requests require authentication
        .and().oauth2Login().authenticationSuccessHandler(successHandler(http))
        // it is recommended to add the PKCEAuthorizationRequestResolver to enable PKCE flow
        .authorizationRequestResolver(new PKCEAuthorizationRequestResolver(reactiveClientRegistrationRepository))
        .and()
        .build();
}

3.4 Obtaining the Access Token

Once a user tries to access an authenticated page, Spring will redirect the user to the authorization endpoint configured in step 3.2. Spring will complete the Authorization Code flow and obtain the access token and finally assign the user a new session associated with the token.

3.5 Calling Qlik Sense SaaS APIs using the Access Token

You can create an OAuth web client that can automatically use the authenticated user's access token in making requests to Qlik Sense SaaS.

@Bean
public WebClient oauth2WebClient(ReactiveClientRegistrationRepository clientRegistrations, ServerOAuth2AuthorizedClientRepository authorizedClients) {

    try {
        HttpClient httpClient = HttpClient.create().followRedirect(true);
        ServerOAuth2AuthorizedClientExchangeFilterFunction oauth = new ServerOAuth2AuthorizedClientExchangeFilterFunction(clientRegistrations, authorizedClients);
        oauth.setDefaultOAuth2AuthorizedClient(true);
        return WebClient.builder().filter(oauth).clientConnector(new ReactorClientHttpConnector(httpClient)).build();
    } catch (SSLException e) {
        throw new RuntimeException("Failed to create oauth2WebClient: " + e.getMessage());
    }
}

You can now use the created oauth2WebClient to access Qlik Sense SaaS APIs, for example:

String TENANT_ENDPOINT_URL = "https://your.tenant.domain/api/v1/tenants/me"
Mono<Tenant> tenant = oauth2WebClient.get().uri(TENANT_ENDPOINT_URL).retrieve().bodyToMono(Tenant.class);
Was this page helpful?