Solved: Creating oAuth M2M impersonation user - Qlik Community

_Johan · ‎2024-05-06

Hi,

I am trying to set up oAuth M2M impersonation and have set up the client in Qlik.
Trying out this example with this body:

{
  "client_id": "*****************",
  "client_secret": "***************",
  "grant_type": "urn:qlik:oauth:user-impersonation",
  "user_lookup": {
    "field": "subject",
    "value": "SUBJECT_VALUE"
  },
  "scope": "user_default"
}

I got this error:

{
  "errors": [
    {
      "title": "Could not find a user to impersonate",
      "detail": "Could not find user with identifier of subject and value of SUBJECT_VALUE",
      "code": "OAUTH-41",
      "status": "400"
    }
  ],
  "traceId": "5f1d309e40ca23dea9cd9558e1061d00"
}

Since I don't have any users except tenant admins the error seems correct.

My question now is how do I create the user on the Qlik side that I want to impersonate?
I don't want to send an email to someone inviting them and I don't want to set up a full IDP described here.

_Johan · ‎2024-05-06

Hi @alex_colombo ,

I tried with API and once I changed the "SUBJECT_VALUE" to what I set in the API-call I got an access token.
I haven't tried using the token yet though.
Is there any benefit in doing it with JWT or is it similar to the API?

View solution in original post

alex_colombo · ‎2024-05-06

Hey @_Johan , you should use JWT for creating your users

_Johan · ‎2024-05-06

Hi @alex_colombo ,

I tried with API and once I changed the "SUBJECT_VALUE" to what I set in the API-call I got an access token.
I haven't tried using the token yet though.
Is there any benefit in doing it with JWT or is it similar to the API?

alex_colombo · ‎2024-05-06

You have to use JWT for creating users into the tenant (if you do not want to use an IDP). Then, you can use OAuth token for authorization.

Jeffrey_Goldberg · ‎2024-05-06

@_Johan , is this for your own learning or for a specific use case. If for the latter, can you share the use case please?

Jeffrey_Goldberg · ‎2024-05-06

You can use the users API to create users as long as you do not require the use of groups. Right now, JWT auth to create the user on the backend is required for assigning groups to users. In a future release, custom group creation via API will be possible along with users so JWT auth will not be needed anymore.

jg

_Johan · ‎2024-05-07

Hi Jeffery,

It is a use case.
I want to embed Qlik without 3rd party cookies and I don't have an external IDP. I do have a lightweight internal one though with limited capabilities.

It is also a multi tenant setup where we will determine which user gets to see/use which tenant. I don't have a need to match the user in our application with the one in the tenant.
Therefore I am trying to use the oAuth M2M Impersonation.

Yesterday I managed to create a user with API and get an Access Token through the impersonation call.

Is there a implied need to setup an OIDC Identity Provider?

Later it might be useful if I can divide users in 2 groups, basic and self-service. I have heard that groups are not to be used but I don't know why.
Maybe this can be solved by just having 2 users, one basic and one self-service. Although, the self service one might be good if there is a match in name between our app and the name in the qlik tenant.

Creating oAuth M2M impersonation user

API

Integration

SaaS