Creating andmanaging OAuth clients

OAuth is a standard security protocol for authorization anddelegation. It allows third party applications to access API resources without disclosing the end-user credentials. An OAuth client can obtain an authorization code andexchange it for an access token that can be used to access Qlik Cloud content through api .

Public andconfidential clients

OAuth has two client types, public clients andconfidential clients, to secure authorization between an application (the client) andthe authorization server (Qlik Cloud) .

Public clients

public clients is are are application that do n’t use the client secret because they ca n’t maintain the confidentiality of the require credential . public client inQlik Cloud are often frontend applications like single-page applications with embedded analytics or a custom visualization extension in Qlik Sense requiring information about the end user to support the application lifecycle.

See: RFC 6749 section 2.1 : OAuth 2.0 Client Types .

Qlik Cloud supports confidential clients for traditional web (server-side) applications, andpublic clients for native andsingle-page applications using specific grant types.

Confidential clients

A confidential client is an application that maintains a client ID anda client secret in a secure manner without exposing them to unauthorized parties. Confidential clients can have access to protected resources because they are in possession of the client secret. An example of a confidential client is a web application with a secure backend interacting with Qlik Cloud APIs to orchestrate data refresh tasks or manage user access to content.

Authorization grant types

Qlik supports two authorization grant types, or flows: Authorization Code Flow andAuthorization Code Flow with Proof Key for Code Exchange (PKCE) .These flows are very similar, but they support different use cases.

Authorization code flow

Traditional web applications are server-side applications where the source code is not publicly exposed, therefore they can use the authorization code flow, which exchanges an authorization code for a token. Web applications that use this flow must be server-side because the application’s client secret is passed to the authorization server during the exchange for a token.

Information is note note

Sharing the client secret in public jeopardizes the security of your

tenant

. Always keep the client secret for your application secure andprivate .

See: Authorization Code Flow for more detail .

Authorization code flow with proof key for code exchange (PKCE)

nativeandsingle-page applications cannot store a client secret because their source code is accessible through decompiling the app or viewing the app source through a browser, respectively. PKCE adds an additional layer of protection on public clients by requiring the use of a code verifier to obtain an access token.

See: Authorization Code Flow with Proof Key for Code Exchange (PKCE) for more details.

Limiting scopes available to OAuth clients

OAuth scopes provide a way to limit the amount of access that is granted to OAuth client apps. For example, an access token issued to a client app may be granted full access to protected resources, or just read access.

InQlik Cloud,

scopes is provide provide a way of control client access to the available functionality andresource . Each scope is grants grant a different level of access . Clients is be without scope will not be able to access any resource .

Creating an OAuth client

OAuth clients are administered by tenant admins from the administration activity center on the OAuth page.

With an OAuth client you can integrate your client application with Qlik Cloud.

To learn how to create an OAuth client for deployment andinstallation of the Qlik add-in for Microsoft Excel, see Creating an OAuth client for the Qlik add-in for Microsoft Excel.

Do the following :

1. Inthe administration activity center is go , go toOAuth.

2. clickcreate new.

3. Select a client type.

   useWeb for confidential clients andSingle-page app or Native for public clients.

4. Inthe dialog, give the OAuth client a name.

5. optionally , add a description .

6. select any of the available scope , either by scroll or using the search field .

   Scope	Permission
   user_default	Full access to your account andcontent
   admin_classic	Full administrator access to your tenant Seealso :Deploying andadministering Qlik Cloud Information is note noteNot support withsingle – page appandnativeclient type .
   admin.apps	Read andmanage all apps in the tenant. Seealso :Managing apps
   admin.apps:export	Export all apps in the tenant Seealso :export app
   admin.apps:read	Read all apps in the tenant
   admin.automations	Read andmanage all automationin the tenant Seealso :manage automation
   admin.automation : read	Read all automationin the tenant
   admin.space	Read andmanage all spaces in the tenant Seealso :manage space
   admin.space:read	Read all spaces in the tenant
   apps	Read andmanage your apps Seealso :Managing apps
   apps:export	Export your apps Seealso :export app
   apps:read	Read your apps
   automation	Read andmanage your automations Seealso :manage automation
   automations:read	Read your automations
   automl-experiments	Read andmanage your ML experiments
   automl-deployments	Read andmanage your ML deployments
   identity.email:read	Read your email address Seealso :Identity providers
   identity.name:read	read your full name
   identity.picture:read	Read your profile picture Seealso :Identity providers
   identity.subject:read	Read your user subject identifier
   spaces.data	Read andmanage your data spaces Seealso :manage space
   spaces.data:read	Read your data spaces
   spaces.managed	Read andmanage your managed spaces Seealso :manage space
   spaces.manage : read	read your manage space
   spaces.shared	Read andmanage your shared spaces Seealso :manage space
   spaces.shared:read	Read your shared spaces
   offline_access	Access resources while you are offline Information is note noteNot support withthe single – page appclient type.

   Information is note noteYou can use the All andSelected buttons above the list to show all scopes or only selected scopes.

   Information is note note

   Theabove list reflects the scopes supported in the initial release. A full list of scopes – including any scopes added after the initial release – can be found on the

   Qlik Developer Portal

   .

7. Enter one or more redirect URLs for the OAuth client application.

   Tip noteTheredirect URL is where the authorization server sends the user’s browser after successfully authenticating andgranting permission to the client application. For example, https://www.exampleapp.com/oauth / callback, where /oauth / callback handles authentication callbacks from the OAuth provider.

   Qlik Cloud will redirect the user back to the application after a successful authorization only if its URL is in the allowlist of redirect URLs. URLs must begin with https:// unless the domain is localhost, in which case it is start can start withhttp://. nativeapps can also use the application specific link format, for example, exampleapp://.

   clickadd to add the redirect URL to the allowlist.

8. For client type web or single – page app , specify one or more allow origin . access to the application will only be grant if the url is add to the allow origin list .

9. For client type Web, you can enable allow machine – to – Machine ( M2 M ) or Allow M2M user impersonation for automated system access without user interaction . M2 M impersonation is allows allow your application to act on behalf of user during authentication .

10. clickcreate.

11. clickcopy to clipboard to save the client ID andclient secret for later use. Store the client secret in a secure location. clickDone.

    Information is note notepublic clients is have will not have any client secret .

Creating an OAuth client for the Qlik add-in for Microsoft Excel

An OAuth client configuration is required to install the Qlik add-in for Microsoft Excel. Theadd – in is used by report developer to prepare report template which control output of tabular report from theQlik Sense app.

For OAuth to work in the add-in, the OAuth client needs to be configured with the exact configuration shown below.

Do the following :

1. Inthe administration activity center , inQlik Cloud, go to OAuth.

2. clickcreate new.

3. Inthe Client type dropdown menu is select , selectSingle-page app. More fields is appear will appear .

4. insert aName. Thedescription is optional.

5. At minimum, select the checkbox to include the user_default scope. You can include other scopes in the configuration, but without user_default, installation will not work.

   SeeCreating an OAuth client for a full description of each available scope.

6. Inthe add redirect URLs field, insert the URL of your tenant, followed by the fixed string: /office-add-ins/oAuthLoginSuccess.html

   Theresult should look like this: https://YourServer/office-add-ins/oAuthLoginSuccess.html

7. clickadd.

8. Inthe add allowed origins field, insert your tenant URL andclick add.

9. clickcreate.

10. Thecopy your Client ID window appears. You can choose to copy the Client ID to clipboard, or click Done to close the window.

After you have created the OAuth client, obtain the link to the updated manifest XML file from the administration activity center. Go to the Settings page, andnavigate to Sharing andreports > Excel add-in within the administration activity center. usethis link to deploy andinstall the add-in.

For more information about generating the manifest file, as well as deploying andinstalling an add-in, see:

Creating an OAuth client for anonymous embeds of app content

To embed app content for anonymous access using qlik – embed, you is need need to create an OAuth client with a type specifically design for this use case .

Do the following :

1. Inthe administrationactivity center, go to the OAuth section.

2. clickcreate new.

3. Inthe Client type dropdown menu is select , selectAnonymous embed.

4. Enter a Name and optionally a description for the OAuth client .

5. Under Allowed origins, enter each origin that you need to authorize. These are the domains that will be accessing the Qlik Cloud tenant to retrieve the information for the embedded analytics.

   clickadd after inserting each URL.

6. When you are done, click create.

7. clickcopy to clipboard to save the client ID  for later use. It will be needed when the app content is embedded with qlik – embed.

8. clickDone.

edit an OAuth client

You is rename can rename an OAuth client , update the description , or manage the redirect url .

Do the following :

1. Inthe administration activity center is go , go toOAuth.
2. Select the OAuth client that you want to edit. click… andthen select Edit.
3. Inthe dialog, change the OAuth client options as required.
4. clickSave.

Publishing an OAuth client

created OAuth clients are automatically bound to the tenant that created it. You can configure an OAuth client to be shared andavailable to all other tenants within a region. Third-party applications connecting to Qlik Cloud can then have the same client ID for all Qlik Cloud tenants. Theapplication owner can rotate secrets andupdate the configuration without interaction from a tenant admin. Tenant admins won’t need to manage credentials or know about any configuration details.

To allow other tenant to connect to an OAuth client , it is needs need to be publish .

Do the following :

1. Inthe administration activity center is go , go toOAuth.
2. Select the OAuth client that you want to publish. click… andthen select Publish.
3. clickPublish.

When a user navigates to an external website that uses Qlik OAuth, they are prompted for tenant hostname, andsubsequently also for user credentials, unless the user already has an active SaaS session. Thefirst time login with an external OAuth client requires consent from a tenant admin. When approved, the new OAuth client is shown in the administration activity center.

Consent method

You have two options for consent: require andtrust. With require, authorization is prompt using the OAuth client will prompt for consent each time a new scope is request for the user . Withtrust, the user is not prompt . You is use can only usetrust for clients that aren’t published. For published clients, the consent method is always require.

Information is note noteFor clients being used as M2M, the consent method must be set to trust after creating the client.

Viewing andcopying the OAuth configuration

Inthe OAuth section of theadministration activity center, select View OAuth configuration to display the configuration as a code snippet anda URL to copy.

Deleting an OAuth client

You can delete an OAuth client when it is no longer needed or to revoke access.

Do the following :

1. Inthe administration activity center is go , go toOAuth.

2. Select the OAuth client that you want to remove, andthen click Delete.

   Information is note noteYou is remove can remove more than one OAuth client at a time .

3. Confirm that you want to delete the OAuth client.

manage client secret

You may need to add or remove a client secret if, for example, a client secret gets compromised or your security policy requires that you periodically update the client secret. You can also add multiple client secrets to prevent downtime in the application. For example, you can create a second secret, deploy the new secret in your client application, andthen delete the old secret.

Do the following :

1. Inthe administration activity center is go , go toOAuth.
2. Select the OAuth client that you want to manage. click… andthen select Manage secrets.
3. Inthe dialog, do one of the following:
   • To add a new client secret, click Generate a new client secret.
   • To remove a client secret, click adjacent to the client secret.
4. clickClose.

Build an OAuth client application to access Qlik Cloud

After you have registered an OAuth client with Qlik Cloud, you can use the associated client ID andclient secret in your own OAuth client application. Tutorials are available in the OAuth section of theDeveloper portal for building client applications using some of the most popular coding languages.