Creating and managing OAuth clients
OAuth is a standard security protocol for authorization and delegation. It allows third party applications to access API resources without disclosing the end-user credentials. An OAuth client can obtain an authorization code and exchange it for an access token that can be used to access Qlik Cloud content through APIs.
Public and confidential clients
OAuth has two client types, public clients and confidential clients, to secure authorization between an application (the client) and the authorization server (Qlik Cloud).
Public clients are applications that don’t use the client secret because they can’t maintain the confidentiality of the required credentials. Public clients in Qlik Cloud are often frontend applications like single-page applications with embedded analytics or a custom visualization extension in Qlik Sense requiring information about the end user to support the application lifecycle.
Qlik Cloud supports confidential clients for traditional web (server-side) applications, and public clients for native and single-page applications using specific grant types.
A confidential client is an application that maintains a client ID and a client secret in a secure manner without exposing them to unauthorized parties. Confidential clients can have access to protected resources because they are in possession of the client secret. An example of a confidential client is a web application with a secure backend interacting with Qlik Cloud APIs to orchestrate data refresh tasks or manage user access to content.
Authorization grant types
Qlik supports two authorization grant types, or flows: Authorization Code Flow and Authorization Code Flow with Proof Key for Code Exchange (PKCE). These flows are very similar, but they support different use cases.
Authorization code flow
Traditional web applications are server-side applications where the source code is not publicly exposed, therefore they can use the authorization code flow, which exchanges an authorization code for a token. Web applications that use this flow must be server-side because the application’s client secret is passed to the authorization server during the exchange for a token.
See: Authorization Code Flow for more details.
Authorization code flow with proof key for code exchange (PKCE)
Native and single-page applications cannot store a client secret because their source code is accessible through decompiling the app or viewing the app source through a browser, respectively. PKCE adds an additional layer of protection on public clients by requiring the use of a code verifier to obtain an access token.
See: Authorization Code Flow with Proof Key for Code Exchange (PKCE) for more details.
Creating an OAuth client
OAuth clients are administered by tenant admins from the Management Console on the OAuth page.
With an OAuth client you can integrate your client application with Qlik Cloud.
Do the following:
In the Management Console, go to the Integration section and select OAuth.
Click Create new.
Select a client type.
Use Web for confidential clients and Single-page app or Native for public clients.
With Web, you can select the option Allow Machine-to-Machine (M2M) for system access without user interaction.
In the dialog, give the OAuth client a name.
Optionally, add a description.
Enter the redirect URL for the OAuth client application. Qlik Cloud will redirect the user back to the application after a successful authorization only if its URL is in the allowed list of redirect URLs. URLs must begin with https:// unless the domain is localhost, in which case it can start with http://. Native apps can also use the application specific link format, for example, exampleapp://.
Click Add to add the redirect URL to the allow list.Information noteYou can add more than one URL.
Single-page app only: Add one or more allowed origins. Access to the application will only be granted if the URL is in the allowed origins list.
Click Copy to clipboard to save the client ID and client secret for later use. Store the client secret in a secure location. Click Done.Information notePublic clients will not have any client secret.
Editing an OAuth client
You can rename an OAuth client, update the description, or manage the redirect URLs.
Do the following:
- In the Management Console, go to the Integration section and select OAuth. Select the OAuth client that you want to edit. Click ... and then select Edit.
- In the dialog, change the OAuth client options as required.
- Click Save.
Publishing an OAuth client
Created OAuth clients are automatically bound to the tenant that created it. You can configure an OAuth client to be shared and available to all other tenants within a region. Third-party applications connecting to Qlik Cloud can then have the same client ID for all Qlik Cloud tenants. The application owner can rotate secrets and update the configuration without interaction from a tenant admin. Tenant admins won't need to manage credentials or know about any configuration details.
To allow other tenants to connect to an OAuth client, it needs to be published.
Do the following:
- In the Management Console, in the OAuth section, select the OAuth client that you want to publish. Click ... and select Publish.
- Click Publish.
When a user navigates to an external website that uses Qlik OAuth, they are prompted for tenant hostname, and subsequently also for user credentials, unless the user already has an active SaaS session. The first time login with an external OAuth client requires consent from a tenant admin. When approved, the new OAuth client is shown in the Management Console.
You have two options for consent: Required and Trusted. With Required, authorization using the OAuth client will prompt for consent each time a new scope is requested for the user. With Trusted, the user is not prompted. You can only use Trusted for clients that aren't published. For published clients, the consent method is always Required.
Viewing and copying the OAuth configuration
In the OAuth section of the Management Console, select View OAuth configuration to display the configuration as a code snippet and a URL to copy.
Deleting an OAuth client
You can delete an OAuth client when it is no longer needed or to revoke access.
Do the following:
In the Management Console, go to the Integration section and select OAuth. Select the OAuth client that you want to remove and click Delete.Information noteYou can remove more than one OAuth client at a time.
- Confirm that you want to delete the OAuth client.
Managing client secrets
You may need to add or remove a client secret if, for example, a client secret gets compromised or your security policy requires that you periodically update the client secret. You can also add multiple client secrets to prevent downtime in the application. For example, you can create a second secret, deploy the new secret in your client application, and then delete the old secret.
Do the following:
- In the Management Console, go to the Integration section and select OAuth. Select the OAuth client that you want to manage. Click ... and then select Manage secrets.
- In the dialog, do one of the following:
- To add a new client secret, click Generate a new client secret.
- To remove a client secret, click adjacent to the client secret.
- Click Close.
Build an OAuth client application to access Qlik Cloud
After you have registered an OAuth client with Qlik Cloud, you can use the associated client ID and client secret in your own OAuth client application. Tutorials are available in the OAuth Libraries section of the Developer portal for building client applications using some of the most popular coding languages.