we have logged in via backend usign the API and we...
# gooddata-cnj
JT
09/29/2022, 12:03 PMwe have logged in via backend usign the API and we have oauth token, but when trying to embed it to the app it fails with this error
j
Jan Soubusta
09/29/2022, 1:07 PMLooks like the known issue with 404 instead of 401?
@Peter Plochan
j
JT
09/29/2022, 2:08 PMsi in the end it looks like we have the oauth token correctly, but we are not able to pass the cookie correct way and then the app tells us “not authenticated” … we are trying few options
JT
09/29/2022, 3:52 PMso I made it super simple a tested following scenario:
• copy & paste dashboard embed URL to the browser -> OK, it works
• paste iframe to the website (tried it with google sites) running https:// -> same ISSUE there is following error even though I’m in the same browser (authenticated)
Mixed Content: The page at '<https://sites.google.com/d/1zBw4a5y5opjLHUFajsCUqR3PAyMgwfMv/p/1DzkXNEGQPNidHj-tS9ubNAJHhciZhWQ9/edit>' was loaded over HTTPS, but requested an insecure frame '<http://recruitis-gd.bizzflow.app/dex/auth?response_type=code&client_id=a7f9450a-b3f8-4712-a530-ba59719262fd&scope=openid%20profile&state=3X_tskN2XWYV5R9wxCGpAvPMGQi59jg6H8MUnHwyPcw%3D&redirect_uri=http://localhost:3000/login/oauth2/code/localhost&nonce=b4dBpK01twx4eCCLjpUyyxgZsjsQyYIwdHTw-UJhrG8>'. This request has been blocked; the content must be served over HTTPS.JT
09/29/2022, 3:55 PM@Peter Plochan / @Martin Svadlenka / @Jan Soubusta / @Jiri Zajic any idea? 🤔
p
Peter Plochan
09/29/2022, 4:21 PMI’m not an expert in this area, but I think that if you are accessing any resource (even in an iframe) from any SSL secured site, you need that resource to be SSL secured as well.
✅ 1
j
JT
09/29/2022, 4:27 PMyeah, sure … but this is nothing I can handle … as I said, I just paste the iframe (from GD.CN portal) to the website … and this error occurs so it seems it is some inner API call within the CN itself…
j
Jiri Zajic
10/04/2022, 6:00 PMI can confirm that while other domains authenticate in iframe just fine, recruitis-gd.bizzflow.app does not. I'll be reaching out internally to our engineering teams… bear with me @JT!
j
JT
10/05/2022, 10:20 AM@Jiri Zajic thanks! Just FYI - we jsut upgraded to GD.CN version 2.1 and issue still remains …
p
Peter Plochan
10/05/2022, 10:59 AMHi @JT, would you be able to show the whole 401 response you’re getting? I mean all headers and response body.
FYI the main hint of unsuccessful authentication should be located in the
WWW-Authenticatej
JT
10/05/2022, 12:15 PMsure, @Peter Plochan
JT
10/05/2022, 12:15 PM Copy code
HTTP/1.1 401 Unauthorized
Server: nginx/1.14.1
Date: Wed, 05 Oct 2022 12:14:37 GMT
Content-Length: 9
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1 ; mode=block
Referrer-Policy: no-referrer
Set-Cookie: SPRING_REDIRECT_URI=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Lax
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Content-Disposition, Content-Length, Content-Range, Set-Cookie
Permission-Policy: geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'none'; payment 'none';
Content-Security-Policy: default-src 'self' *.<http://wistia.com|wistia.com> *.<http://wistia.net|wistia.net>; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.<http://wistia.com|wistia.com> *.<http://wistia.net|wistia.net> <http://src.litix.io|src.litix.io> <http://matomo.anywhere.gooddata.com|matomo.anywhere.gooddata.com> <http://code.jquery.com|code.jquery.com> <http://unpkg.com|unpkg.com> <http://cdn.jsdelivr.net|cdn.jsdelivr.net> <http://cdnjs.cloudflare.com|cdnjs.cloudflare.com>; img-src 'self' data: blob: *.<http://wistia.com|wistia.com> *.<http://wistia.net|wistia.net> <http://embedwistia-a.akamaihd.net|embedwistia-a.akamaihd.net> <http://privacy-policy.truste.com|privacy-policy.truste.com> <http://www.gooddata.com|www.gooddata.com>; style-src 'self' 'unsafe-inline' <http://fonts.googleapis.com|fonts.googleapis.com> <http://cdn.jsdelivr.net|cdn.jsdelivr.net> <http://fast.fonts.net|fast.fonts.net>; font-src 'self' data: <http://fonts.gstatic.com|fonts.gstatic.com> *.<http://alicdn.com|alicdn.com> *.<http://wistia.com|wistia.com> <http://cdn.jsdelivr.net|cdn.jsdelivr.net> <http://info.gooddata.com|info.gooddata.com>; frame-src 'self'; object-src 'none'; worker-src 'self' blob:; child-src blob:; connect-src 'self' *.<http://tiles.mapbox.com|tiles.mapbox.com> *.<http://mapbox.com|mapbox.com> *.<http://litix.io|litix.io> *.<http://wistia.com|wistia.com> <http://embedwistia-a.akamaihd.net|embedwistia-a.akamaihd.net> <http://matomo.anywhere.gooddata.com|matomo.anywhere.gooddata.com>; media-src 'self' blob: data: *.<http://wistia.com|wistia.com> *.<http://wistia.net|wistia.net> <http://embedwistia-a.akamaihd.net|embedwistia-a.akamaihd.net>
GoodData-Deployment: aioJT
10/05/2022, 12:16 PM^ response headers
JT
10/05/2022, 12:17 PMScreenshot 2022-10-05 at 14.16.49.png
JT
10/05/2022, 12:18 PMor this one:
JT
10/05/2022, 12:18 PMScreenshot 2022-10-05 at 14.18.23.png
JT
10/05/2022, 12:18 PMa response headers:
Copy code
HTTP/1.1 401
Server: nginx/1.14.1
Date: Wed, 05 Oct 2022 12:14:40 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Set-Cookie: SPRING_REDIRECT_URI=AVfg2iMMwQJBuNb/kyv7n7ifteNYozRZe+1Tizxc8i+PmKs8sMrA+tSSPuq78RCRe06MzPz8VV6RLtuLdVpHTgsPOyg3tNO8S/oKxq3J1HcWiOhuvwsEu/9aLTJp; Max-Age=604800; Expires=Wed, 12-Oct-2022 12:14:40 GMT; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: SPRING_SEC_SECURITY_CONTEXT=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Content-Disposition, Content-Length, Content-Range, Set-Cookie
Permission-Policy: geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'none'; payment 'none';
Content-Security-Policy: default-src 'self' *.<http://wistia.com|wistia.com> *.<http://wistia.net|wistia.net>; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.<http://wistia.com|wistia.com> *.<http://wistia.net|wistia.net> <http://src.litix.io|src.litix.io> <http://matomo.anywhere.gooddata.com|matomo.anywhere.gooddata.com> <http://code.jquery.com|code.jquery.com> <http://unpkg.com|unpkg.com> <http://cdn.jsdelivr.net|cdn.jsdelivr.net> <http://cdnjs.cloudflare.com|cdnjs.cloudflare.com>; img-src 'self' data: blob: *.<http://wistia.com|wistia.com> *.<http://wistia.net|wistia.net> <http://embedwistia-a.akamaihd.net|embedwistia-a.akamaihd.net> <http://privacy-policy.truste.com|privacy-policy.truste.com> <http://www.gooddata.com|www.gooddata.com>; style-src 'self' 'unsafe-inline' <http://fonts.googleapis.com|fonts.googleapis.com> <http://cdn.jsdelivr.net|cdn.jsdelivr.net> <http://fast.fonts.net|fast.fonts.net>; font-src 'self' data: <http://fonts.gstatic.com|fonts.gstatic.com> *.<http://alicdn.com|alicdn.com> *.<http://wistia.com|wistia.com> <http://cdn.jsdelivr.net|cdn.jsdelivr.net> <http://info.gooddata.com|info.gooddata.com>; frame-src 'self'; object-src 'none'; worker-src 'self' blob:; child-src blob:; connect-src 'self' *.<http://tiles.mapbox.com|tiles.mapbox.com> *.<http://mapbox.com|mapbox.com> *.<http://litix.io|litix.io> *.<http://wistia.com|wistia.com> <http://embedwistia-a.akamaihd.net|embedwistia-a.akamaihd.net> <http://matomo.anywhere.gooddata.com|matomo.anywhere.gooddata.com>; media-src 'self' blob: data: *.<http://wistia.com|wistia.com> *.<http://wistia.net|wistia.net> <http://embedwistia-a.akamaihd.net|embedwistia-a.akamaihd.net>
GoodData-Deployment: aioJT
10/05/2022, 12:18 PMthanks!
JT
10/05/2022, 12:19 PMadding also @Tomáš Votava who is also debugging on our side
p
Peter Plochan
10/05/2022, 3:47 PM@JT I meant the 401 @Jiri Zajic got in his reproducer here:
Or is it another case? If yes, would you be able to provide the whole HAR file for that iframe? It would help much.
https://gooddataconnect.slack.com/files/U025EGDM3DZ/F0453NYF4MR/screen_shot_2022-10-04_at_10.58.38.png▾
j
Jiri Zajic
10/05/2022, 6:31 PMHello @Peter Plochan! Here it is. It is the same use-case. @JT is embedding using Google Sites, I am embedding on localhost using CGRA. Same issue. Here's the HAR file. Anything else that would help?
Jiri Zajic
10/10/2022, 12:22 AM@Peter Plochan can you please help on Monday morning? 🙏
🆗 1
j
JT
10/10/2022, 7:04 AM@Peter Plochan would you be able to jump on a call with me/David from our team during today? Thanks!
p
Peter Plochan
10/10/2022, 7:25 AMHi @JT, yes I should be. Would you have a time between the 1:00pm and 2:30pm (CEST timezone)?
j
JT
10/10/2022, 8:33 AM2pm sounds good! I will invite David as well! @Peter Plochan
🆗 1
s
Shubham Jain
12/19/2022, 7:33 AMHi @JT, @Tomáš Votava
Were you able to fix this issue regarding the 401 status code? I am also facing a similar issue. Please check this thread for more information.
https://gooddataconnect.slack.com/archives/C01USCF4S10/p1671092830044589?thread_ts=1671005688.451689&cid=C01USCF4S10
t
Tomáš Votava
12/19/2022, 7:37 AMHi @Shubham Jain, this could be the case when the cookie has a strict samesite settings, maybe try this: https://gooddataconnect.slack.com/archives/C01P3H2HTDL/p1665498265445969?thread_ts=1665496476.294259&cid=C01P3H2HTDL
s
Shubham Jain
12/19/2022, 9:16 AMThank you @Tomáš Votava, but we are not using GOODDATA.CN .
t
Tomáš Votava
12/19/2022, 9:18 AMOh, I see, then I'm afraid I can't help you.
👍 1