Skip to main content

Qlik

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
_Johan
Partner - Contributor III
‎2024-05-06 04:30 AM

Creating oAuth M2M impersonation user

Hi,

I am trying to set up oAuth M2M impersonation and have set up the client in Qlik.
Trying out this example with this body:

 

{
  "client_id": "*****************",
  "client_secret": "***************",
  "grant_type": "urn:qlik:oauth:user-impersonation",
  "user_lookup": {
    "field": "subject",
    "value": "SUBJECT_VALUE"
  },
  "scope": "user_default"
}

 


I got this error:

 

{
  "errors": [
    {
      "title": "Could not find a user to impersonate",
      "detail": "Could not find user with identifier of subject and value of SUBJECT_VALUE",
      "code": "OAUTH-41",
      "status": "400"
    }
  ],
  "traceId": "5f1d309e40ca23dea9cd9558e1061d00"
}

 

 

Since I don't have any users except tenant admins the error seems correct.

My question now is how do I create the user on the Qlik side that I want to impersonate? 
I don't want to send an email to someone inviting them and I don't want to set up a full IDP described here

 

Labels (3)
Labels
1,552 Views
1 Solution

Accepted Solutions
_Johan
Partner - Contributor III
‎2024-05-06 10:27 AM
Author

In response to alex_colombo

Hi @alex_colombo ,

I tried with API and once I changed the "SUBJECT_VALUE" to what I set in the API-call I got an access token.
I haven't tried using the token yet though. 
Is there any benefit in doing it with JWT or is it similar to the API?


View solution in original post

1,508 Views
0 Likes
6 Replies
alex_colombo
Employee
‎2024-05-06 08:36 AM

Hey @_Johan , you should use JWT for creating your users

1,518 Views
_Johan
Partner - Contributor III
‎2024-05-06 10:27 AM
Author

In response to alex_colombo

Hi @alex_colombo ,

I tried with API and once I changed the "SUBJECT_VALUE" to what I set in the API-call I got an access token.
I haven't tried using the token yet though. 
Is there any benefit in doing it with JWT or is it similar to the API?


1,509 Views
0 Likes
alex_colombo
Employee
‎2024-05-06 10:31 AM

You have to use JWT for creating users into the tenant (if you do not want to use an IDP). Then, you can use OAuth token for authorization.

1,505 Views
Jeffrey_Goldberg
Employee
‎2024-05-06 10:48 AM

@_Johan , is this for your own learning or for a specific use case. If for the latter, can you share the use case please?

1,499 Views
Jeffrey_Goldberg
Employee
‎2024-05-06 10:56 AM

In response to alex_colombo

You can use the users API to create users as long as you do not require the use of groups. Right now, JWT auth to create the user on the backend is required for assigning groups to users. In a future release, custom group creation via API will be possible along with users so JWT auth will not be needed anymore.

 

jg

1,495 Views
_Johan
Partner - Contributor III
‎2024-05-07 02:17 AM
Author

In response to Jeffrey_Goldberg

Hi Jeffery,

It is a use case.
I want to embed Qlik without 3rd party cookies and I don't have an external IDP. I do have a lightweight internal one though with limited capabilities.

It is also a multi tenant setup where we will determine which user gets to see/use which tenant. I don't have a need to match the user in our application with the one in the tenant. 
Therefore I am trying to use the oAuth M2M Impersonation. 

Yesterday I managed to create a user with API and get an Access Token through the impersonation call.

Is there a implied need to setup an OIDC Identity Provider?

Later it might be useful if I can divide users in 2 groups, basic and self-service. I have heard that groups are not to be used but I don't know why.
Maybe this can be solved by just having 2 users, one basic and one self-service. Although, the self service one might be good if there is a match in name between our app and the name in the qlik tenant.

1,458 Views
0 Likes
Top