A few tips.
First, the target_id parameter is not an app guid, it's generated by Qlik Sense based on the redirectUri parameter on the websocket request. Any resource behind a virtual proxy can be used. So if your mashup is behind a virtual proxy (hosted on Qlik Sense server by Qlik Sense), then you're good to go. If not, then what I do is upload a simple html document to the content library which just simply redirects to my mashup. Then I set the redirectUri in the mashup config to point to that html document, which redirects to the mashup. Again, this is only necessary if your mashup is not behind a virtual proxy.
Second, the reason you are seeing the "no access pass" is because you have not allocated any tokens for "Login access." When a mashup loads, it loads some resources that require a token, and since the user doesn't have a user token before logging in, these resources are unable to load. Allocate a few tokens to "Login access" and anonymous users, and then you won't see the "no access pass" any longer, and your mashup should redirect to the auth module defined in the virtual proxy if a user is not authenticated.
I might not have mentioned that the mashup would be on the public web but secured. So assigning tokens to anonymous users would be bad. They could be easily used up.
Instead I changed my proxy to use the "Forms" authentication pattern, instead of "Windows". Now the mashup redirects to a login page and back again without issue.
This solved my problem.