Is it possible to generate an API key on behalf of another user?
As far as we understand, Qlik does not support impersonation grant for OAuth clients. We have a use case where we want to make Machine-to-Machine (M2M) API calls in the context of a user. An API key seems like the right approach, however, as far as the UI seems to allow, you can only generate an API key for yourself.
Does anyone have any experience or ideas around how to make API calls on behalf of a user?
The only way I know of for doing user impersonation over APIs or QCS is to create a JWT identity provider. That way you can handle the whole authentication and authorization flow outside of QCS, and as long as you have the certificate, you can connect as anyone. Needless to say, that opens up quite a security hole though, so if you choose to go that way, then make sure you keep that certificate safe...
This capability is something we are looking at starting work on in Q1. No commitments, but we see the need and want to bring OAuth M2M the ability to impersonate users in the tenant.
Even if a JWT identity provider is configured, it would only allow session-cookie-based authentication, no? As in, you can "login" as a user using JWT with the POST /login/jwt-session endpoint, but what you would get are cookies. I guess you could, as a headless service, still use cookies to impersonate a user. Is that what you mean?
