Setting up Qlik OAuth for authentication
OAuth2 is a widely adopted authorization standard that allows applications to access resources on other platforms without sharing user credentials. Qlik Cloud integrates OAuth2 to facilitate secure access to data and analytics resources for third-party applications. This makes it easier to embed Qlik visualizations from external systems and use the Qlik Sense authentication method to authenticate users of another application that share the same users.
This post will explore how OAuth2 works in Qlik Cloud and guide you through integrating it into your web application.
- Steps to Integrate OAuth with a Web Application in Qlik Cloud
- Example of using Qlik OAuth with a Web Application (Qalyptus Cloud)
- OAuth2 technical flows in Qlik Cloud
- Best Practices for Securing OAuth Clients
Steps to Integrate OAuth with a Web Application in Qlik Cloud
Follow the steps below to integrate your Qlik Sense tenant with an external web application supporting OAuth connections.
1- Register Your OAuth Client
To use OAuth with your web app, start by registering your application in Qlik Cloud’s Admin Console:
- Navigate to the OAuth section of the Admin Console.
- Select Create New, and choose the Web client type for a confidential app.
- Input the required details, such as the client name, description, and allowed redirect URLs. The external application provides the redirect URLs.
The Redirected URL is the endpoint of a callback method in the external application, which will receive an authorization code from the Qlik service. - Based on the app’s requirements, choose the relevant scopes, such as access to apps or user data.
- When it’s done, click Create.
- Qlik Sense will generate a Client ID and a Client secret key. Copy and use them in the external Web application.
- By default, Qlik Sense prompts for consent when the user is authenticated. You can change the consent method of the configured OAuth client to “Trusted” to skip the consent prompt.
2- Handle User Authentication
Once registered, your web application needs to authenticate the user. This involves:
- Redirecting the user to Qlik Cloud’s /oauth/authorize endpoint.
- After successful authentication, Qlik Cloud redirects back to your application with an authorization code.
3- Exchange Authorization Code for Access Token
Your backend server will exchange the authorization code received for an access token. To do this, you must make a request to the OAuth token endpoint using your Client ID, Client Secret, and authorization code.
The returned token will allow the web app to make API requests on behalf of the user.
4- Access Resources in Qlik Cloud
Once your web app has obtained the access token, it can be used to interact with Qlik Cloud APIs. For example, the app can embed Qlik visualizations, manage apps, or get the user profile authenticated in another application that shares the same users.
The following diagram shows the different steps of using Qlik 0Auth to authenticate users and request data from a Qlik Cloud application.
Image source: https://qlik.dev
Example of using Qlik OAuth with a Web Application (Qalyptus Cloud)
The video below shows you how to configure Qlik OAuth to authenticate Qalyptus Cloud users using the Qlik login flow.
OAuth2 technical flows in Qlik Cloud
This section will see how to implement the technical flows to authenticate a user with Qlik OAuth.
To perform the following steps, you will need access to the Qlik Sense SaaS administration console and the necessary rights to create an OAuth Client.
1—Create an OAuth Client in Qlik Sense SaaS as described above (see the Steps to Integrate OAuth with a Web Application in Qlik Cloud).
2—Save the Client ID and Client secret keys in a safe place and make them accessible to your web application.
3—Create a callback method (GET) in your web application to receive the response from Qlik Sense. We will see the content of this method later.
4—Use the endpoint of the callback method as a redirection URL in the Qlik OAuth client. Example: https://my-app.com/login/callback
5—To authenticate the user, make a redirect to the following URL:
https://<your-qlik-sense-tenant>.qlikcloud.com/oauth/authorize?response_type=code&client_id=<CLIENT-ID>&state=<STATE-CODE>&redirect_uri=<CALLBACK-ENDPOINT>&scope=openid profile email
Replace CLIENT-ID with the Client ID generated by the OAuth client.
Replace STATE-CODE with any alphanumeric characters to identify the request in the callback method.
Replace CALLBACK-ENDPOINT with the redirection URL added in the OAuth client.
6—The user will be redirected to the Qlik Sense Login page. If an Identity Provider is configured in Qlik Sense, the user will also be redirected to the Identity provider login page.
7—After a successful connection, Qlik will send an Authorization code and the State code to the Redirection URL (callback method).
8—In the Callback method, you will receive the Authorization code and the State code.
The State code allows you to identify the login request. The Authorization code is necessary to get an Access token.
9—Your app will use the authorization code received in the previous step to request an access token by sending a POST request to the /oauth/token endpoint.
POST /oauth/token HTTP/1.1
Host: https://<your-qlik-sense-tenant>.qlikcloud.com
Content-Type: application/x-www-form-urlencoded
client_id=<CLIENT-ID>
&code=<AUTHORIZATION-CODE>
&redirect_uri=<CALLBACK-ENDPOINT>
&grant_type=authorization_code
&client_secret=<CLIENT-SECRET>
Replace CLIENT-ID with the Client ID generated by the OAuth client.
Replace AUTHORIZATION-CODE with the authorization code received in step 8.
Replace CALLBACK-ENDPOINT with the redirection URL added in the OAuth client.
Replace CLIENT-SECRET with the Client secret generated by the OAuth client.
10—The POST request response will contain the access token and the expiration time. The response is similar to the following sample.
HTTP/1.1 200 OK
Content-type: application/json
{
"token_type": "Bearer",
"scope": "offline_access user_default",
"expires_in": 21600,
"expires_at": 2024-11-17T15:23:17.000Z,
"access_token": "eyJ0eXAiOdsdsdsdshbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"refresh_token": "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6Impudkw1VnpIUTBld1gzR05PUm..."
}
11—Use the access token to call Qlik Sense API endpoints. After you have an access token, the app calls Qlik Sense API endpoints by attaching the access token as a Bearer token to the Authorization header in an HTTP request. The following request gets the profile of the signed-in user.
GET https://<your-qlik-sense-tenant>.qlikcloud.com/api/v1/users/me HTTP/1.1
Authorization: Bearer eyJ0eXAiOdsdsdsdshbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...
Host: https://<your-qlik-sense-tenant>.qlikcloud.com
A successful response looks similar to the following.
{
"id": "97dhsjhduiyiuzyeuyzd7ee46",
"tenantId": "ydg769_JHGTSSSPOPNHHYTZ22KK",
"status": "active",
"subject": "auth0|6ce3dd53e59794c0dfc58cba18884a47fd00d055954fb7f934ab9",
"name": "User Test",
"email": "[email protected]",
"picture": "",
"roles": [
"DataServicesContributor",
"SharedSpaceCreator",
"Developer"
],
"assignedRoles": [],
"assignedGroups": [],
"groups": [],
"createdAt": "2024-11-06T07:23:33.355Z",
"lastUpdatedAt": "2024-11-17T09:20:09.040Z",
"created": "2024-11-06T07:23:33.355Z",
"lastUpdated": "2024-11-17T09:20:09.040Z",
"links": {
"self": {
"href": "https://<your-qlik-sense-tenant>.qlikcloud.com/api/v1/users/97dhsjhduiyiuzyeuyzd7ee46"
}
}
}
Best Practices for Securing OAuth Clients
Security should be a top priority when integrating OAuth into your web application. Here are some recommendations:
- Confidential Clients: Confidential clients are used for server-side web applications to store Client IDs and Client Secrets securely.
- Limit Scopes: Only request the necessary scopes to limit the access granted to your app.
- Token Expiry: Regularly refresh access tokens to ensure ongoing secure access. Use refresh tokens where applicable.
Qlik’s OAuth2 implementation allows seamless integration between web applications and Qlik Cloud, providing secure access to data and analytics resources. You can securely manage user authentication and resource access by leveraging the right OAuth flow for your app type.
Whether embedding visualizations or performing administrative tasks, OAuth2 ensures that your applications have the appropriate access without exposing user credentials.