Community Groups are officially here!
We've released Groups, a new feature that enables us to connect community members of similar industries and interests in a shared, private space. You can check out all of the details here, including information about who can join, how to join, and what Groups are currently offered. Please leave your feedback through this Community Groups Feedback Survey.

Does Qualtrics support integrating with APIs via the implicit grant flow of Oauth 2.0?

jsonner Notre Dame, INCommunity Member Qubie ✭

Has anyone had any success with using Qualtrics to call secure APIs without API keys or is there a way to hide API keys from form editors?

We are attempting to integrate Qualtrics with our custom Student Information System restful API using the implicit grant flow of Oauth 2.0.
We aren't comfortable adding secret keys to Qualtrics forms our editors would be able to see and potentially abuse (accidentally removing authentication, ect).

We could build a custom javascript function that sends the client to our Authorization server to get an access token onLoad, that is then used to set an embedded field that is sent to the (API) Resource server as a bearer header. This custom javascript function would be very volatile to Qualtrics updates.

  • Another option may be to use our existing federation (SAML) to generate access_tokens.

Best Answer

  • TomG
    TomG Raleigh, NCCommunity Member, Qualtrics Brand Admin Wizard ✭✭✭✭✭
    Accepted Answer

    You could write a web service script that contains the API key(s) (or retrieves them), then pass the API requests from the surveys through it. That way the form editors wouldn't be able to see or change the API key.

    Regarding your idea for a custom JavaScript, a web service that returns an embedded field would be a better choice.


  • jsonner
    jsonner Notre Dame, INCommunity Member Qubie ✭

    Thank you for your quick response!

    The web service script containing API keys would be world accessible. Anyone who stumbled upon the API key end-point could use the keys to access and update highly sensitive information. We could lock it down to Qualtrics IP range, but any Qualtrics user could find the end-point and display the embedded field. This sounds like security by obscurity.

    Is there any other way to hide secrets from form editors?

  • TomG
    TomG Raleigh, NCCommunity Member, Qualtrics Brand Admin Wizard ✭✭✭✭✭

    No, the API keys in a web service script wouldn't be viewable to the world. The web service script would be executable by the world, but not viewable. And, as you point out, you can build whatever additional security you deem necessary into the script.

  • jsonner
    jsonner Notre Dame, INCommunity Member Qubie ✭

    Executable in form of only responding to PUT, POST, UPDATE, or DELETE HTTP requests vs GET HTTP request?

    Anyone can send any type HTTP request to a world accessible API end-point and view the response.

    API scripts can be secure by exchanging secret keys or OAuth access_tokens. We trust Qualtrics to safely store our secret keys, but we don't want the keys visible to form editors.