OAuth

Authorize OAuth client flows, and create and revoke OAuth tokens.

Download specification

Authorize a client application

Allows a client application to use an OAuth flow to request user authorization.

Facts

Rate limit Tier 1 (1000 requests per minute)

Query Parameters

  • client_idstring
    Required

    The client identifier.

  • code_challenge_methodstring
    Required

    The algorithm that client used for generating code_challenge, only S256 is supported for now.

    Can be one of: "S256"

  • redirect_uristring
    Required

    Relative or full URL to redirect to after successful login.

  • response_typestring
    Required

    Describes the grant flow to use.

  • scopearray
    Required

    The scope of access that is being requested.

  • statestring
    Required

    State parameter to roundtrip to client in final redirect.

  • code_challengestring

    The code challenge created by the client.

  • login_hintstring

    Hint to the Authorization Server about the login identifier the End-User might use to log in.

  • max_agenumber

    Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OpenID Provider. If time is greater than max_age, force user to re-authorize.

  • promptstring

    Specifies whether the Authorization Server prompts the End-User for re-authentication or requires a non-interactive authentication.

    Can be one of: "none""login"

Responses

302

Redirect to the identity provider or back to the redirect_uri if an error occurs. On error the redirect will follow the OAuth2 RFC section 4.1.2.1 (https://tools.ietf.org/html/rfc6749#section-4.1.2.1) with an additional error_code parameter with the internal error code. When a detail is known for the error it will be included as error_detail.

  • text/htmlstring

400

Invalid client_id or redirect_uri.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.
GET /oauth/authorize 
// qlik-api has not implemented support for `GET /oauth/authorize` yet.
// In the meantime, you can use fetch like this:


const response = await fetch('/oauth/authorize', {
  method: 'GET',
  headers: { 'Content-Type': 'application/json' },
})
This API is not included yet in qlik-cli
curl "https://{tenant}.{region}.qlikcloud.com/oauth/authorize"

Revoke OAuth token provided by client

Allows a client to revoke their token.

Facts

Rate limit Tier 2 (100 requests per minute)

Request Body

Required

Properties of the token that the client wants to revoke.

  • application/jsonobject
    Show application/json properties
    • tokenstring
      Required

      The token to revoke.

    • token_type_hintstring

      Type of the provided token.

      Can be one of: "access_token""refresh_token"

Properties of the token that the client wants to revoke.

  • application/x-www-form-urlencodedobject
    Show application/x-www-form-urlencoded properties
    • tokenstring
      Required

      The token to revoke.

    • token_type_hintstring

      Type of the provided token.

      Can be one of: "access_token""refresh_token"

Responses

200

Token was revoked.

400

Invalid request.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.
POST /oauth/revoke 
// qlik-api has not implemented support for `POST /oauth/revoke` yet.
// In the meantime, you can use fetch like this:


const response = await fetch('/oauth/revoke', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    token: 'string',
    token_type_hint: 'access_token',
  }),
})
This API is not included yet in qlik-cli
curl "https://{tenant}.{region}.qlikcloud.com/oauth/revoke" \
-X POST \
-H "Content-type: application/json" \
-d '{"token":"string","token_type_hint":"access_token"}'

Retrieve OAuth token

Allows a client to perform an OAuth flow to obtain a token set.

Facts

Rate limit Tier 2 (100 requests per minute)

Request Body

  • application/jsonany
    One of:
    • oauth-client-credentials-requestobject
      Show oauth-client-credentials-request properties
      • scopestring

        The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        The grant type used to obtain an access token outside of the context of a user.

        Can be one of: "client_credentials"

      • client_secretstring
        Required

        The client secret.

      • client_assertionstring

        JWT used for client authentication instead of client_secret.

      • client_assertion_typestring

        Assertion type for JWT client assertion.
    • oauth-refresh-requestobject
      Show oauth-refresh-request properties
      • grant_typestring
        Required

        The grant type used to exchange a refresh token for an access token.

        Can be one of: "refresh_token"

      • client_secretstring

        The client secret.

      • refresh_tokenstring
        Required

        The refresh token to use.

      • client_assertionstring

        JWT used for client authentication instead of client_secret.

      • client_assertion_typestring

        Assertion type for JWT client assertion.
    • oauth-authorization-code-requestobject
      Show oauth-authorization-code-request properties
      • codestring
        Required

        The authorization code created by the server.

      • client_idstring
        Required

        The client identifier.

      • deviceTypestring

        The type of the user device the authorization token is generated for (Tablet, Phone etc.).

      • grant_typestring
        Required

        The grant type used to exchange an authorization code for an access token.

        Can be one of: "authorization_code"

      • descriptionstring

        A user-friendly description to distinguish between multiple tokens.

      • redirect_uristring
        Required

        The original redirect URI provided during authorization. For verification purposes only.

      • client_secretstring

        The client secret.

      • code_verifierstring
        Required

        Required when grant_type is "authorization_code". The code verifier to verify original code challenge created by the client. It must be between 43 and 128 characters long and consists of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"

        minLength = 43, maxLength = 128

      • client_assertionstring

        JWT used for client authentication instead of client_secret.

      • client_assertion_typestring

        Assertion type for JWT client assertion.
    • oauth-token-exchangeobject

      Exchanges one token for another. Implementation is based on this spec: https://datatracker.ietf.org/doc/html/rfc8693.

      Show oauth-token-exchange properties
      • purposestring
        Required

        The intended use for the requested token.

        Can be one of: "websocket""webresource"

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        Specifies the method in which the token will be granted.

        Can be one of: "urn:ietf:params:oauth:grant-type:token-exchange"

      • subject_tokenstring
        Required

        The token that represents the identity of the party on behalf of whom the request is being made.

      • subject_token_typestring
        Required

        The type of the subject token.

        Can be one of: "urn:ietf:params:oauth:token-type:access_token"

    • oauth-user-impersonation-requestobject
      Show oauth-user-impersonation-request properties
      • scopestring

        The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        The grant type used to obtain an access token on behalf of an existing user.

        Can be one of: "urn:qlik:oauth:user-impersonation"

      • user_lookupobject
        Required
        Show user_lookup properties
        • fieldstring
          Required

          The identifier to impersonate the user by.

          Can be one of: "subject""userId"

        • valuestring
          Required

          The value of the identifier to impersonate the user by.
      • client_secretstring
        Required

        The client secret.

      • client_assertionstring

        JWT used for client authentication instead of client_secret.

      • client_assertion_typestring

        Assertion type for JWT client assertion.
  • application/x-www-form-urlencodedany
    One of:
    • oauth-client-credentials-requestobject
      Show oauth-client-credentials-request properties
      • scopestring

        The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        The grant type used to obtain an access token outside of the context of a user.

        Can be one of: "client_credentials"

      • client_secretstring
        Required

        The client secret.

      • client_assertionstring

        JWT used for client authentication instead of client_secret.

      • client_assertion_typestring

        Assertion type for JWT client assertion.
    • oauth-refresh-requestobject
      Show oauth-refresh-request properties
      • grant_typestring
        Required

        The grant type used to exchange a refresh token for an access token.

        Can be one of: "refresh_token"

      • client_secretstring

        The client secret.

      • refresh_tokenstring
        Required

        The refresh token to use.

      • client_assertionstring

        JWT used for client authentication instead of client_secret.

      • client_assertion_typestring

        Assertion type for JWT client assertion.
    • oauth-authorization-code-requestobject
      Show oauth-authorization-code-request properties
      • codestring
        Required

        The authorization code created by the server.

      • client_idstring
        Required

        The client identifier.

      • deviceTypestring

        The type of the user device the authorization token is generated for (Tablet, Phone etc.).

      • grant_typestring
        Required

        The grant type used to exchange an authorization code for an access token.

        Can be one of: "authorization_code"

      • descriptionstring

        A user-friendly description to distinguish between multiple tokens.

      • redirect_uristring
        Required

        The original redirect URI provided during authorization. For verification purposes only.

      • client_secretstring

        The client secret.

      • code_verifierstring
        Required

        Required when grant_type is "authorization_code". The code verifier to verify original code challenge created by the client. It must be between 43 and 128 characters long and consists of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"

        minLength = 43, maxLength = 128

      • client_assertionstring

        JWT used for client authentication instead of client_secret.

      • client_assertion_typestring

        Assertion type for JWT client assertion.
    • oauth-token-exchangeobject

      Exchanges one token for another. Implementation is based on this spec: https://datatracker.ietf.org/doc/html/rfc8693.

      Show oauth-token-exchange properties
      • purposestring
        Required

        The intended use for the requested token.

        Can be one of: "websocket""webresource"

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        Specifies the method in which the token will be granted.

        Can be one of: "urn:ietf:params:oauth:grant-type:token-exchange"

      • subject_tokenstring
        Required

        The token that represents the identity of the party on behalf of whom the request is being made.

      • subject_token_typestring
        Required

        The type of the subject token.

        Can be one of: "urn:ietf:params:oauth:token-type:access_token"

    • oauth-user-impersonation-requestobject
      Show oauth-user-impersonation-request properties
      • scopestring

        The scope of access that is being requested. The scope should already be assigned to the OAuth client. For a list of available scopes, visit: https://qlik.dev/authenticate/oauth/scopes/#available-scopes

      • client_idstring
        Required

        The client identifier.

      • grant_typestring
        Required

        The grant type used to obtain an access token on behalf of an existing user.

        Can be one of: "urn:qlik:oauth:user-impersonation"

      • user_lookupobject
        Required
        Show user_lookup properties
        • fieldstring
          Required

          The identifier to impersonate the user by.

          Can be one of: "subject""userId"

        • valuestring
          Required

          The value of the identifier to impersonate the user by.
      • client_secretstring
        Required

        The client secret.

      • client_assertionstring

        JWT used for client authentication instead of client_secret.

      • client_assertion_typestring

        Assertion type for JWT client assertion.

Responses

200

Token set created.

  • application/jsonobject
    Show application/json properties
    • scopestring

      The scope of access that is being granted, delimited by space.

    • auth_timenumber

      Unix time of when the last authentication occurred.

    • expires_atstring

      The date and time in ISO format for when the access token will expire.

      format = "date-time"

    • token_typestring
      Required

      The type of the token issued.

      Can be one of: "bearer"

    • access_tokenstring
      Required

      The access token granted.

    • refresh_tokenstring

      Refresh token to be used to obtain a new access token without user intervention.

    • issued_token_typestring

      The type of the token issued for a token exchange. See https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.1 for more details.

      Can be one of: "urn:ietf:params:oauth:token-type:access_token"

400

Invalid request parameters.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.

401

Invalid login or tokens, indicates that code or token used can be deleted by the client. Also could be invalid client credentials provided in Authorization header.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.

403

Forbidden because user is disabled or has reached the maximum number of tokens.

  • application/jsonobject

    A representation of the errors encountered from the HTTP request.

    Show application/json properties
    • errorsarray of objects

      List of errors and their properties.

      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Non-standard information about the error.

      • titlestring
        Required

        The error title.

      • detailstring

        The detailed error message.

      • statusstring

        The http status code.
POST /oauth/token 
// qlik-api has not implemented support for `POST /oauth/token` yet.
// In the meantime, you can use fetch like this:


const response = await fetch('/oauth/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    scope: 'user_default offline_access',
    client_id: 'string',
    grant_type: 'client_credentials',
    client_secret: 'string',
    client_assertion:
      'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteS1jbGllbnQtaWQiLCJzdWIiOiJteS1jbGllbnQtaWQiLCJhdWQiOiJodHRwczovL215LXRlbmFudC51cy5xbGlrY2xvdWQuY29tL29hdXRoL3Rva2VuIiwiZXhwIjoxNzM3MTIwMDAwLCJpYXQiOjE3MzcxMTk0MDAsImp0aSI6ImU1Zjg0ZGE3LWI0YzMtNGE5Yi04ZjFlLTNhMmIxYzRkNWU2ZiJ9.kR7Y5tz9Xm3KpwF8jH2vQ4nL9sA6bC1dE8fG0hI3jK5mN7oP9qR2sT4uV6wX8yZ0aB2cD4eF6gH8iJ0kL2mN4oP6qR8sT0uV2wX4yZ6aB8cD0eF2gH4iJ6kL8mN0oP2qR4sT6uV8wX0yZ2aB4cD6eF8gH0iJ2kL4mN6oP8qR0sT2uV4wX6yZ8aB0cD2eF4gH6iJ8kL0mN2oP4qR6sT8uV0wX2yZ4aB6cD8eF0gH2iJ4kL6mN8oP0qR2sT4uV6wX8yZ0aB2cD4eF6gH8iJ0kL2mN4oP6qR8',
    client_assertion_type:
      'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
  }),
})
This API is not included yet in qlik-cli
curl "https://{tenant}.{region}.qlikcloud.com/oauth/token" \
-X POST \
-H "Content-type: application/json" \
-d '{"scope":"user_default offline_access","client_id":"string","grant_type":"client_credentials","client_secret":"string","client_assertion":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteS1jbGllbnQtaWQiLCJzdWIiOiJteS1jbGllbnQtaWQiLCJhdWQiOiJodHRwczovL215LXRlbmFudC51cy5xbGlrY2xvdWQuY29tL29hdXRoL3Rva2VuIiwiZXhwIjoxNzM3MTIwMDAwLCJpYXQiOjE3MzcxMTk0MDAsImp0aSI6ImU1Zjg0ZGE3LWI0YzMtNGE5Yi04ZjFlLTNhMmIxYzRkNWU2ZiJ9.kR7Y5tz9Xm3KpwF8jH2vQ4nL9sA6bC1dE8fG0hI3jK5mN7oP9qR2sT4uV6wX8yZ0aB2cD4eF6gH8iJ0kL2mN4oP6qR8sT0uV2wX4yZ6aB8cD0eF2gH4iJ6kL8mN0oP2qR4sT6uV8wX0yZ2aB4cD6eF8gH0iJ2kL4mN6oP8qR0sT2uV4wX6yZ8aB0cD2eF4gH6iJ8kL0mN2oP4qR6sT8uV0wX2yZ4aB6cD8eF0gH2iJ4kL6mN8oP0qR2sT4uV6wX8yZ0aB2cD4eF6gH8iJ0kL2mN4oP6qR8","client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"}'

Example Response

{
  "scope": "offline_access user_default",
  "auth_time": 1628524367,
  "expires_at": "1970-01-18T13:17:10.931Z",
  "token_type": "bearer",
  "access_token": "string",
  "refresh_token": "string",
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
}