Skip to main content Skip to complementary content

Creating and managing OAuth clients

OAuth is a standard security protocol for authorization and delegation. It allows third party applications to access API resources without disclosing the end-user credentials. An OAuth client can obtain an authorization code and exchange it for an access token that can be used to access Qlik Cloud content through APIs.

Public and confidential clients

OAuth has two client types, public clients and confidential clients, to secure authorization between an application (the client) and the authorization server (Qlik Cloud).

Public clients

Public clients are applications that don’t use the client secret because they can’t maintain the confidentiality of the required credentials. Public clients in Qlik Cloud are often frontend applications like single-page applications with embedded analytics or a custom visualization extension in Qlik Sense requiring information about the end user to support the application lifecycle.

See : RFC 6749 Section 2.1: OAuth 2.0 Client Types.

Qlik Cloud supports confidential clients for traditional web (server-side) applications, and public clients for native and single-page applications using specific grant types.

Confidential clients

A confidential client is an application that maintains a client ID and a client secret in a secure manner without exposing them to unauthorized parties. Confidential clients can have access to protected resources because they are in possession of the client secret. An example of a confidential client is a web application with a secure backend interacting with Qlik Cloud APIs to orchestrate data refresh tasks or manage user access to content.

Authorization grant types

Qlik supports two authorization grant types, or flows: Authorization Code Flow and Authorization Code Flow with Proof Key for Code Exchange (PKCE). These flows are very similar, but they support different use cases.

Authorization code flow

Traditional web applications are server-side applications where the source code is not publicly exposed, therefore they can use the authorization code flow, which exchanges an authorization code for a token. Web applications that use this flow must be server-side because the application’s client secret is passed to the authorization server during the exchange for a token.

Information noteSharing the client secret in public jeopardizes the security of your tenant. Always keep the client secret for your application secure and private.

See: Authorization Code Flow for more details.

Authorization code flow with proof key for code exchange (PKCE)

Native and single-page applications cannot store a client secret because their source code is accessible through decompiling the app or viewing the app source through a browser, respectively. PKCE adds an additional layer of protection on public clients by requiring the use of a code verifier to obtain an access token.

See: Authorization Code Flow with Proof Key for Code Exchange (PKCE) for more details.

Limiting scopes available to OAuth clients

OAuth scopes provide a way to limit the amount of access that is granted to OAuth client apps. For example, an access token issued to a client app may be granted full access to protected resources, or just read access.

In Qlik Cloud, scopes provide a way of controlling client access to the available functionality and resources. Each scope grants a different level of access. Clients without scopes will not be able to access any resources.

Creating an OAuth client

OAuth clients are administered by tenant admins from the Administration activity center on the OAuth page.

With an OAuth client you can integrate your client application with Qlik Cloud.

To learn how to create an OAuth client for deployment and installation of the Qlik add-in for Microsoft Excel, see Creating an OAuth client for the Qlik add-in for Microsoft Excel.

Do the following:

  1. In the Administration activity center, go to OAuth.

  2. Click Create new.

  3. Select a client type.

    Use Web for confidential clients and Single-page app or Native for public clients.

  4. In the dialog, give the OAuth client a name.

  5. Optionally, add a description.

  6. Select any of the available scopes, either by scrolling or using the search field.

    Scope Permission
    user_default Full access to your account and content
    admin_classic

    Full administrator access to your tenant

    See also: Deploying and administering Qlik Cloud

    Information noteNot supported with Single-page app and Native client types.
    admin.apps

    Read and manage all apps in the tenant.

    See also: Managing apps

    Indicates a child item admin.apps:export

    Export all apps in the tenant

    See also: Exporting apps

    Indicates a child item admin.apps:read

    Read all apps in the tenant
    admin.automations

    Read and manage all automations in the tenant

    See also: Managing automations

    Indicates a child item admin.automations:read

    Read all automations in the tenant
    admin.spaces

    Read and manage all spaces in the tenant

    See also: Managing spaces

    Indicates a child item admin.spaces:read

    Read all spaces in the tenant
    apps

    Read and manage your apps

    See also: Managing apps

    Indicates a child item apps:export

    Export your apps

    See also: Exporting apps

    Indicates a child item apps:read

    Read your apps
    automations

    Read and manage your automations

    See also: Managing automations

    Indicates a child item automations:read

    Read your automations
    automl-experiments Read and manage your ML experiments
    automl-deployments Read and manage your ML deployments
    identity.email:read

    Read your email address

    See also: Identity providers in Qlik Cloud

    identity.name:read

    Read your full name
    identity.picture:read

    Read your profile picture

    See also: Identity providers in Qlik Cloud

    identity.subject:read

    Read your user subject identifier
    spaces.data

    Read and manage your data spaces

    See also: Managing spaces

    Indicates a child item spaces.data:read

    Read your data spaces
    spaces.managed

    Read and manage your managed spaces

    See also: Managing spaces

    Indicates a child item spaces.managed:read

    Read your managed spaces
    spaces.shared

    Read and manage your shared spaces

    See also: Managing spaces

    Indicates a child item spaces.shared:read

    Read your shared spaces
    offline_access

    Access resources while you are offline

    Information noteNot supported with the Single-page app client type.
    Information noteYou can use the All and Selected buttons above the list to show all scopes or only selected scopes.
    Information noteThe above list reflects the scopes supported in the initial release. A full list of scopes - including any scopes added after the initial release - can be found on the Qlik Developer Portal.
  7. Enter one or more redirect URLs for the OAuth client application.

    Tip noteThe redirect URL is where the authorization server sends the user's browser after successfully authenticating and granting permission to the client application. For example, https://www.exampleapp.com/oauth/callback, where /oauth/callback handles authentication callbacks from the OAuth provider.

    Qlik Cloud will redirect the user back to the application after a successful authorization only if its URL is in the allowlist of redirect URLs. URLs must begin with https:// unless the domain is localhost, in which case it can start with http://. Native apps can also use the application specific link format, for example, exampleapp://.

    Click Add to add the redirect URL to the allowlist.

  8. For client type Web or Single-page app, specify one or more allowed origins. Access to the application will only be granted if the URL is added to the allowed origins list.

  9. For client type Web, you can enable Allow Machine-to-Machine (M2M) or Allow M2M user impersonation for automated system access without user interaction. M2M impersonation allows your application to act on behalf of users during authentication.

  10. Click Create.

  11. Click Copy to clipboard to save the client ID and client secret for later use. Store the client secret in a secure location. Click Done.

    Information notePublic clients will not have any client secret.
Information noteFor an overview of different use cases, see Summary of use cases and OAuth types to use.

Creating an OAuth client for the Qlik add-in for Microsoft Excel

An OAuth client configuration is required to install the Qlik add-in for Microsoft Excel. The add-in is used by report developers to prepare report templates which control output of tabular reports from the Qlik Sense app.

For OAuth to work in the add-in, the OAuth client needs to be configured with the exact configuration shown below.

Do the following:

  1. In the Administration activity center, in Qlik Cloud, go to OAuth.

  2. Click Create new.

  3. In the Client type dropdown menu, select Single-page app. More fields will appear.

  4. Insert a Name. The Description is optional.

  5. At minimum, select the checkbox to include the user_default scope. You can include other scopes in the configuration, but without user_default, installation will not work.

    See Creating an OAuth client for a full description of each available scope.

  6. In the Add redirect URLs field, insert the URL of your tenant, followed by the fixed string: /office-add-ins/oAuthLoginSuccess.html

    The result should look like this: https://YourServer/office-add-ins/oAuthLoginSuccess.html

  7. Click Add.

  8. In the Add allowed origins field, insert your tenant URL and click Add.

  9. Click Create.

  10. The Copy your Client ID window appears. You can choose to copy the Client ID to clipboard, or click Done to close the window.

After you have created the OAuth client, obtain the link to the updated manifest XML file from the Administration activity center. Go to the Settings page, and navigate to Sharing and reportsExcel add-in within the Administration activity center. Use this link to deploy and install the add-in.

For more information about generating the manifest file, as well as deploying and installing an add-in, see:

Creating an OAuth client for anonymous embeds of app content

To embed app content for anonymous access using qlik-embed, you need to create an OAuth client with a type specifically designed for this use case.

Information note This functionality is only available with a Qlik Anonymous Access subscription. For more information, see Qlik Anonymous Access subscriptions.
  1. In the Administrationactivity center, go to the OAuth section.

  2. Click Create new.

  3. In the Client type dropdown menu, select Anonymous embed.

  4. Enter a Name and optionally a Description for the OAuth client.

  5. Under Allowed origins, enter each origin that you need to authorize. These are the domains that will be accessing the Qlik Cloud tenant to retrieve the information for the embedded analytics.

    Click Add after inserting each URL.

  6. When you are done, click Create.

  7. Click Copy to clipboard to save the client ID  for later use. It will be needed when the app content is embedded with qlik-embed.

  8. Click Done.

Editing an OAuth client

You can rename an OAuth client, update the description, or manage the redirect URLs.

Do the following:

  1. In the Administration activity center, go to OAuth.
  2. Select the OAuth client that you want to edit. Click ... and then select Edit.
  3. In the dialog, change the OAuth client options as required.
  4. Click Save.

Publishing an OAuth client

Created OAuth clients are automatically bound to the tenant that created it. You can configure an OAuth client to be shared and available to all other tenants within a region. Third-party applications connecting to Qlik Cloud can then have the same client ID for all Qlik Cloud tenants. The application owner can rotate secrets and update the configuration without interaction from a tenant admin. Tenant admins won't need to manage credentials or know about any configuration details.

To allow other tenants to connect to an OAuth client, it needs to be published.

Do the following:

  1. In the Administration activity center, go to OAuth.
  2. Select the OAuth client that you want to publish. Click ... and then select Publish.
  3. Click Publish.

When a user navigates to an external website that uses Qlik OAuth, they are prompted for tenant hostname, and subsequently also for user credentials, unless the user already has an active SaaS session. The first time login with an external OAuth client requires consent from a tenant admin. When approved, the new OAuth client is shown in the Administration activity center.

Consent method

You have two options for consent: Required and Trusted. With Required, authorization using the OAuth client will prompt for consent each time a new scope is requested for the user. With Trusted, the user is not prompted. You can only use Trusted for clients that aren't published. For published clients, the consent method is always Required.

Information noteFor clients being used as M2M, the consent method must be set to Trusted after creating the client.

Viewing and copying the OAuth configuration

In the OAuth section of the Administration activity center, select View OAuth configuration to display the configuration as a code snippet and a URL to copy.

Deleting an OAuth client

You can delete an OAuth client when it is no longer needed or to revoke access.

Do the following:

  1. In the Administration activity center, go to OAuth.

  2. Select the OAuth client that you want to remove, and then click Delete.

    Information noteYou can remove more than one OAuth client at a time.
  3. Confirm that you want to delete the OAuth client.

Managing client secrets

You may need to add or remove a client secret if, for example, a client secret gets compromised or your security policy requires that you periodically update the client secret. You can also add multiple client secrets to prevent downtime in the application. For example, you can create a second secret, deploy the new secret in your client application, and then delete the old secret.

Do the following:

  1. In the Administration activity center, go to OAuth.
  2. Select the OAuth client that you want to manage. Click ... and then select Manage secrets.
  3. In the dialog, do one of the following:
    • To add a new client secret, click Generate a new client secret.
    • To remove a client secret, click Delete adjacent to the client secret.
  4. Click Close.

Build an OAuth client application to access Qlik Cloud

After you have registered an OAuth client with Qlik Cloud, you can use the associated client ID and client secret in your own OAuth client application. Tutorials are available in the OAuth section of the Developer portal for building client applications using some of the most popular coding languages.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!