Skip to main content Skip to complementary content
Qlik Resources
Announcements
Search
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal

Creating and managing OAuth clients

OAuth is a security protocol for authorization and delegation. It allows third-party applications to access API resources without disclosing end-user credentials. An OAuth client requests an authorization code, exchanges it for an access token, and uses the token to access Qlik Cloud content through APIs.

OAuth client types

An OAuth client is a web application or software that requests access to resources in Qlik Cloud on behalf of a user. OAuth defines two client types—public clients and confidential clients—to secure authorization between an application (the client) and the authorization server (Qlik Cloud).

Qlik Cloud supports confidential clients for traditional web (server-side) applications and public clients for native and single-page applications using specific authorization flows.

For the official OAuth 2.0 specification on client types, see RFC 6749 Section 2.1: OAuth 2.0 Client Types.

Public clients

Public clients are applications that do not use the client secret because they cannot maintain the confidentiality of the required credentials. In Qlik Cloud, these include frontend applications like single-page applications (SPA) with embedded analytics or custom visualization extensions in Qlik Sense requiring user authentication.

Confidential clients

Confidential clients can securely store a client ID and client secret and use them to authenticate with the authorization server. These clients can access protected resources because they possess the client secret.

Example: A web application with a secure backend that interacts with Qlik Cloud APIs to manage user access or orchestrate data refresh tasks.

OAuth authorization flows

Qlik supports two authorization flows (grant types):

  • Authorization code flow: For confidential clients.

  • Authorization code flow with Proof Key for Code Exchange (PKCE): For public clients.

Authorization code flow

This flow is used by server-side applications where the source code is not publicly exposed. It involves exchanging an authorization code for an access token, with the client secret used for authentication. Web applications using this flow must be server-side because the client secret is passed to the authorization server during the token exchange.

Information noteNever share your client secret publicly, as it compromises your tenant’s security. Keep it secure and private.

For more information about the authorization code flow, see the official OAuth 2.0 documentation: Authorization Code Flow.

Authorization code flow with PKCE

Native and single-page applications cannot securely store a client secret because their source code can be decompiled or inspected in a browser. PKCE enhances security by requiring the use of a code verifier to obtain an access token.

For more information about authorization with PKCE, see the official OAuth 2.0 documentation: Authorization Code Flow with Proof Key for Code Exchange (PKCE).

OAuth scopes and permissions

OAuth scopes define the level of access granted to OAuth client applications. For example, an access token can allow full access to resources or restrict it to read-only access. In Qlik Cloud, scopes control client access to available functionality and resources. Without scopes, clients cannot access any resources.

Available OAuth scopes

The table lists available scopes and their associated permissions:

Scope Permission
user_default Full access to your account and content
admin_classic

Full administrator access to your tenant

See also: Deploying and administering Qlik Cloud

Information noteNot supported with the Single-page app or Native client types.
admin.apps

Read and manage all apps in the tenant.

See also: Managing apps

Indicates a child item admin.apps:export

Export all apps in the tenant

See also: Exporting apps

Indicates a child item admin.apps:read

 Read all apps in the tenant
admin.automations

Read and manage all automations in the tenant

See also: Managing automations

Indicates a child item admin.automations:read

 Read all automations in the tenant
admin.spaces

Read and manage all spaces in the tenant

See also: Managing spaces

Indicates a child item admin.spaces:read

 Read all spaces in the tenant
apps

Read and manage your apps

See also: Managing apps

Indicates a child item apps:export

Export your apps

See also: Exporting apps

Indicates a child item apps:read

 Read your apps
automations

Read and manage your automations

See also: Managing automations

Indicates a child item automations:read

 Read your automations
automl-experiments Read and manage your ML experiments
automl-deployments Read and manage your ML deployments
identity.email:read

Read your email address

See also: Identity providers in Qlik Cloud

identity.name:read

 Read your full name
identity.picture:read

Read your profile picture

See also: Identity providers in Qlik Cloud

identity.subject:read

 Read your user subject identifier
spaces.data

Read and manage your data spaces

See also: Managing spaces

Indicates a child item spaces.data:read

 Read your data spaces
spaces.managed

Read and manage your managed spaces

See also: Managing spaces

Indicates a child item spaces.managed:read

 Read your managed spaces
spaces.shared

Read and manage your shared spaces

See also: Managing spaces

Indicates a child item spaces.shared:read

 Read your shared spaces
offline_access

Access resources while you are offline

Information noteNot supported with the Single-page app client type.
Information noteThis list reflects the scopes supported in the initial release. You can find a complete list of scopes on the Qlik Developer Portal under OAuth Scopes.

Creating OAuth clients

Tenant admins manage OAuth clients in the Administration activity center on the OAuth page. With an OAuth client, you can integrate your client application with Qlik Cloud to access resources securely.

Limits on OAuth clients

The following limits apply:

  • Maximum of 5 redirect URLs per client.

  • Maximum of 5 allowed origins per client.

  • Maximum of 5 client secrets per client.

  • Maximum of 200 OAuth clients per tenant.

Steps to create an OAuth client

Do the following:

  1. In the Administration activity center, go to OAuth.

  2. Click Create new.

  3. Select a client type:

    • Web for confidential clients.

    • Single-page app or Native for public clients.

  4. In the dialog, enter a name for the OAuth client.

  5. Optionally, add a description.

  6. Select any of the available scopes by either scrolling or using the search field.

    Tip noteUse the All and Selected buttons to view all scopes or only the selected ones.

  7. Enter one or more redirect URLs for the OAuth client application (maximum of 5). Then click Add to add the redirect URL to the allowlist.

    • The redirect URL is where the authorization server sends the user's browser after successfully authenticating and granting permission to the client application. For example, https://www.exampleapp.com/oauth/callback, where /oauth/callback handles authentication callbacks from the OAuth provider.

    • Qlik Cloud will redirect the user back to the application after a successful authorization only if its URL is in the allowlist of redirect URLs.

    • URLs must begin with https:// unless the domain is localhost, in which case it can start with http://. Native apps can also use the application-specific link format, for example, exampleapp://.

  8. For Web or Single-page app client types, specify one or more allowed origins (maximum of 5).

    • Access to the application will only be granted if the URL is added to the allowed origins list.

  9. For client type Web, you can enable one of the following options for automated system access without user interaction:

    • Allow Machine-to-Machine (M2M): Enables system-to-system communication without user involvement.

    • Allow M2M user impersonation: Allows your application to authenticate on behalf of users, acting as them during the authentication process.

  10. Click Create.

  11. Click Copy to clipboard to save the client ID and client secret for later use. Store the client secret securely.

    Information notePublic clients do not have a client secret.

  12. Click Done.

OAuth clients for specific use cases

For OAuth client use cases, refer to the following resources:

Creating an OAuth client for the Qlik add-in for Microsoft Excel

An OAuth client configuration is required to install the Qlik add-in for Microsoft Excel. The add-in is used by report developers to prepare report templates which control output of tabular reports from the Qlik Sense app.

For OAuth to work in the add-in, the OAuth client needs to be configured with the exact configuration shown below.

Do the following:

  1. In the Administration activity center, in Qlik Cloud, go to OAuth.

  2. Click Create new.

  3. In the Client type dropdown menu, select Single-page app. More fields will appear.

  4. Insert a Name. The Description is optional.

  5. At minimum, select the checkbox to include the user_default scope. You can include other scopes in the configuration, but without user_default, installation will not work.

    See Available OAuth scopes for a full description of each available scope.

  6. In the Add redirect URLs field, insert the URL of your tenant, followed by the fixed string: /office-add-ins/oAuthLoginSuccess.html

    The result should look like this: https://YourServer/office-add-ins/oAuthLoginSuccess.html

  7. Click Add.

  8. In the Add allowed origins field, insert your tenant URL and click Add.

  9. Click Create.

  10. The Copy your Client ID window appears. You can choose to copy the Client ID to clipboard, or click Done to close the window.

After you have created the OAuth client, obtain the link to the updated manifest XML file from the Administration activity center. Go to the Settings page, and navigate to Sharing and reportsExcel add-in within the Administration activity center. Use this link to deploy and install the add-in.

For more information about generating the manifest file, as well as deploying and installing an add-in, see:

Creating an OAuth client for anonymous embeds of app content

To embed app content for anonymous access using qlik-embed, you need to create an OAuth client with a type specifically designed for this use case.

Information note This functionality is only available with a Qlik Anonymous Access subscription. For more information, see Qlik Anonymous Access subscriptions.

Do the following:

  1. In the Administration activity center, go to the OAuth section.

  2. Click Create new.

  3. In the Client type dropdown menu, select Anonymous embed.

  4. Enter a Name and optionally a Description for the OAuth client.

  5. Under Allowed origins, enter each origin that you need to authorize. These are the domains that will be accessing the Qlik Cloud tenant to retrieve the information for the embedded analytics.

    Click Add after inserting each URL.

  6. When you are done, click Create.

  7. Click Copy to clipboard to save the client ID for later use. It will be needed when the app content is embedded with qlik-embed.

  8. Click Done.

Editing OAuth clients

You can rename an OAuth client, update the description, or manage the redirect URLs.

Do the following:

  1. In the Administration activity center, go to OAuth.
  2. Locate the OAuth client that you want to edit.
  3. Click More and then select Edit.
  4. Modify the OAuth client options as required.
  5. Click Save.

Deleting OAuth clients

You can delete an OAuth client when it is no longer needed or to revoke access.

Do the following:

  1. In the Administration activity center, go to OAuth.

  2. Select one or more OAuth clients that you want to remove, and then click Delete.

  3. Confirm the deletion.

Publishing OAuth clients

OAuth clients are initially bound to the tenant that created them. However, you can configure an OAuth client to be shared across multiple tenants within the same region. This enables third-party applications to use the same client ID across different Qlik Cloud tenants.

Application owners can rotate secrets and update the configuration without interaction from a tenant admin. Tenant admins do not need to manage credentials or be aware of any configuration details for the published client.

To allow other tenants to connect to an OAuth client, you must publish it.

Do the following:

  1. In the Administration activity center, go to OAuth.
  2. Locate the OAuth client that you want to publish.
  3. Click More next to the client and select Publish.
  4. Click Publish to confirm.

Once the OAuth client is published, it becomes available for external use by other tenants. When a user visits an external website that uses this OAuth client, they will be prompted to enter their tenant hostname and user credentials, unless they already have an active SaaS session.

The initial login will require consent from a tenant administrator. Once approved, the OAuth client will appear in the Administration activity center of the tenant.

Consent methods

By default, Qlik Cloud prompts users for consent when authenticating. To streamline the process, especially for trusted applications, you can set the consent method to "Trusted," which skips the consent prompt.

There are two options for consent:

  • Required: The user is prompted for consent each time a new scope is requested by the OAuth client. This method ensures explicit user approval for each access level.

  • Trusted: The user is not prompted for consent. This option is only available for unpublished clients. For published clients, the consent method is always Required to maintain security across multiple tenants.

Information noteFor clients used as Machine-to-Machine (M2M), the consent method must be changed to Trusted after the client is created.

Changing the consent method

To change the consent method for an OAuth client, do the following:

  1. In the Administration activity center, go to OAuth.
  2. On the OAuth client, click More and select Change consent method.
  3. Select Required or Trusted and then click Change consent method.

Viewing and copying the OAuth configuration

In the OAuth section of the Administration activity center, select View OAuth configuration to display authentication details for your Qlik Cloud tenant. This will show a code snippet with OAuth endpoints and settings, as well as a URL that you can copy for use in external applications.

You can use this configuration to integrate Qlik Cloud with third-party applications, automate API access, or configure authentication for embedded analytics.

Managing client secrets

If a client secret is compromised or your security policy requires periodic updates, you can add or remove secrets. To avoid downtime, you can add multiple client secrets (maximum of 5), update your client application, and then remove the old secret.

Adding a client secret

Do the following:

  1. In the Administration activity center, go to OAuth.
  2. Locate the OAuth client.
  3. Click More and select Manage secrets.
  4. Click Generate a new client secret.

  5. Copy the client secret and client ID, and store them securely.

    Information noteYou will not be able to access the client secret later.
  6. Click Close.

Removing a client secret

Do the following:

  1. In the Administration activity center, go to OAuth.
  2. Locate the OAuth client.
  3. Click More and select Manage secrets.
  4. Click Delete next to the client secret.
  5. Click Close.

Building OAuth client applications to access Qlik Cloud

After you have registered an OAuth client with Qlik Cloud, you can use the associated client ID and client secret in your OAuth client application.

For step-by-step guidance, see the tutorials in the OAuth Overview section of the Qlik Developer Portal. These tutorials cover how to build client applications using popular programming languages.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here