Hi everyone an auth question we ve got our cognito auth setu GoodData #gooddata-cloud

Hi everyone, an auth question: we've got our cogni...

Daniel Muise

04/25/2024, 12:21 AM

Hi everyone, an auth question: we've got our cognito auth setup so that going to screenlake.cloud.gooddata.com properly shows a cognito login, which when satisfied passes the user onto the right dashboard interface. However, when embedding our dashboards as an iframe, I'd really hoped that that same cognito logo window would show up part-and-parcel within the iframe embedding. Alas, all i get is the message: "*demo-name.auth.us-west-1.amazoncognito.com* refused to connect." in our iframe. where have i gone wrong?

Daniel Muise

04/25/2024, 12:53 AM

i understand that our cognito setup's login auth prompt redirects to goooddata to complete validation. I assume we've got something wrong here, since we don't have a pathway for our customers to stay on our website while being authorized to see the contents of the iframe embedded dashboard

Joseph Heun

04/25/2024, 7:44 AM

Hello Daniel, Please see the section on Authenticating with injected API Token this will help you keep the authentication valid in the embedded enviornment If you are still facing issues, would you be able to send a HAR file with the error in it? Generally speaking, your authentication is not being triggered before reaching the iframe, but we need to verify exactly what the error is to assist further.

Daniel Muise

04/25/2024, 4:46 PM

I'm afraid the token injection method produced no change in my iframe embedding's behavior

Daniel Muise

04/25/2024, 4:48 PM

(not sure what a HAR file is, I'm just looking at my iframe saying the same message as pasted above)

Daniel Muise

04/25/2024, 7:30 PM

I've gotten the API token injection to work, and now my only (strange) problem is that instead of an authentication error message, I get a blank white page in my iframe embedding. no insights or interactions or anything, just blankness. any ideas? This is true even if I'm in a browser in which I'm logged into the gooddata platform as usual. flipping the "apiTokenAuthentication" flag to "false" brings back the functionality of the embedding for my logged-in browser, and returns my incognito view to 'auth refused to connect'

Boris

04/26/2024, 12:05 PM

Hi Daniel, Let's get back to the

refused to connect.

message. What is the full message in the browser dev tools console? I assume it would be either X-Frame-Options or CSP frame ancestors. Basically it means that cognito refuses to be displayed in the iframe, to prevent clickjacking attacks, but if the session already exists, the iframe should display, is this the case?

Daniel Muise

04/26/2024, 2:29 PM

yes if the session already exists, the iframe displays. "Refused to display 'https://gdcn-demo.auth.us-west-1.amazoncognito.com/' in a frame because it set 'X-Frame-Options' to 'deny'."

Boris

04/30/2024, 8:39 AM

Hi Daniel, sorry for the late reply. The clickjacking can be maybe turned off, but the best course of action is to establish the session outside of the iframe.

Daniel Muise

05/01/2024, 5:25 PM

thanks Boris --- until further development i'm just routing people to gooddata first, to a dashboard that has a single link which goes to the embedding website. really not ideal, and raising eyebrows, but it's running

Boris

05/03/2024, 12:21 PM

Hi Daniel, That really doesn't seem like an ideal solution. But does you application where you embed the iframe also use cognito for authentication? If so, the app itself should redirect user to a login screen (and back once completed), so that the iframe can only be accessed with an active session.

3 Views

Open in Slack