Permission Denied and Content Could Not Be Displayed after a short time on Cookieless Embed

[cgooding-va]

With Cookieless Embed, after 10-30 minutes of the embedded page being loaded, the embedded dashboard is replaced with this screen:

It looks like some calls around that time are made that return 401 Permission Denied, even though similar calls were made earlier to the same endpoint successfully. Mainly /api/internal/session/heartbeat and /embed/dashboards.

For our implementation, we are initializing the cookieless embed sdk like this so that we can include the authorization header in the call to get the session/tokens:

LookerEmbedSDK.initCookieless(
  LookerHost,
  {
    headers: {
      Authorization: `Bearer ${sessionId}`,
    },
    url: 'https://<our backend>/looker/acquire-embed-session',
    credentials: 'include',
  },
  {
    headers: {
      Authorization: `Bearer ${sessionId}`,
    },
    url: 'https://<our backend>/looker/generate-embed-tokens',
    credentials: 'include',
  },
);

and then creating the dashboard

LookerEmbedSDK.createDashboardWithId(config.dashboardId)
  .withClassName('looker-embed')
  .appendTo(config.elementRef.nativeElement)
  .build()
  .connect()
  .catch((error: Error) => {
    console.error('An unexpected error occurred', error);
  });

The acquire and generate calls are being made successfully, and even though I need to manage/cache the tokens on the backend because of this issue, the generate call returns new tokens each time.

However, I did notice that the initial navigation token from the acquire call is being used on the failing embed/dashboards call and is in the referrer for the failing heartbeat call, but I am uncertain about the origin of those calls and haven't been able to see if/how to make changes to the sdk to adjust them.

[bryans99]

There is not enough information in this issue to determine what the problem is and I do not think this is the appropriate place. One comment I will say is that the inclusion of sessionId with a bearer token in browser is insecure and that raises an immediate red flag. If that session id is a Looker session then definitely do not do this.

[cgooding-va]

Sorry I missed this reply until now @bryans99

The bearer token is used by the auth on our own server and has nothing to do with looker. I've just included it to show that I need to initialize the embed in that way rather than just providing an endpoint, as some of the behaviour seems to be different in this case as I outlined here.

Is there more information I could provide or a more appropriate place for this? I've talked to google support and they advised me to post it here and in the looker community forums as well.

[lankers1]

@cgooding-va did you ever resolve this issue? I'm experiencing the same issue

[cgooding-va]

@lankers1 Unfortunately I have not. I am just using the regular embed with cookies for now.

[idukic]

Hi,
I had the issue with access token when /generate-tokens was called and 401 was returned. The access token is used in headers when calling /acquire-sessions and /generate-tokens. Not sure if this is valid solution, but what worked for me was subscribing to OAuthService events and when access token was renewed I would initialize cookieless session again without reloading the dashboard.

I can give more details if needed.
Using Angular + .Net Core.

[cgooding-va]

@idukic Thanks for the response!

I'm not using OAuth for my embed, but I would still be curious to see your implementation if you don't mind. I didn't think I could re-initialize the session like that without reloading the dashboard, maybe there is some event I could hook into for that too or I could just do it periodically...

[idukic]

@cgooding-va will pass what I have, hope it helps (note that this is under test and might not be perfect solution, but works atm in my case).

Note: Angular component

constructor(private oauthService: OAuthService) {
    // This will be triggered with refresh token request
    // Initialize cookieless session each time refresh token is refreshed and user profile loaded
    this.oauthService.events
      .pipe(filter((e: OAuthEvent) => e.type === 'user_profile_loaded'))
      .subscribe(() => this.initializeCookielessSession());
}
ngOnInit(): void {
    this.initializeCookielessSession();
    this.createEmbedBuilderForLookerdDashboard();
 }

// Initialize the Embed SDK to use a cookieless session
initializeCookielessSession() {
 LookerEmbedSDK.initCookieless(
  LookerHost,
   {
    headers: [ Authorization: `Bearer ${current_access_token}`],
    url: 'backend/acquire-embed-session'
   },
   {
      headers: [ Authorization: `Bearer ${current_access_token}`],
      url: 'backend/generate-tokens'
    },
  );
}``` 

  Hope this helps!

[joeynaor]

We are experiencing a similar issue. It appears that even though the embed SDK is provided with a new embed_navigation_token from the backend, it keeps using the original embed_navigation_token which it was initially supplied with) The 401 takes place when the original token's session_reference_token_ttl reaches 0. This is the request that is sent, which appears to be originated from within the iframe and not the SDK:

/embed/dashboards/2?Tx+Datetime+Date=2023%252F01%252F01+to+2023%252F09%252F21&Partner+ID=&embed_domain=http%253A%252F%252Flocalhost%253A3300&sdk=2&query_timezone=UTC&embed_navigation_token=<the original token>

Oddly, we're seeing that the occasional heartbeat requests sent from the embed SDK use the new Looker-Embed-Api-Token provided by the backend, however heartbeat responds with seconds_until_session_timeout relevant to the original embed_navigation_token.

[karan-rajbhar]

When/acquire-embed-sessionis initially called, you have the option to specify the 'session_length' in the user attribute when invoking 'acquire_embed_cookieless_session' in the Looker SDK. This can address the issue by setting it to a value of 1 day, resulting in 'session_length': 86400 in user attributes.

[Saklak]

Hi
I have the same issue just as the session ends. Following the last SDK call to heartbeat, this same message is displayed to the user.
I guess the message that should normally be displayed is "your session expired".
Not sure if this is related, but I can see an exception in the console:
"Uncaught (in promise) DOMException: Failed to execute 'postMessage' on 'Window': Invalid target origin 'https://https%3A%2F%2Fmy-app.my-domain.com' in a call to 'postMessage' ."
Wouldn't there be a problem with the getter "get targetOrigin()" (in "embed.ts") which should perhaps URL-decode apiHost before testing if it's a correct url ?

[AlexKichkailo]

Hi,
I am seeing the same issue with the same error in the console as @Saklak . Looks like Looker Embed SDK does not use the new token for some reason. Bumping session length to 1 day does not seem like a good solution from the security perspective and it also does not address the issue fully (users can keep tabs open for days)

[cgooding-va]

Just as an update here, I'm not sure what has changed or when but with the latest SDK cookieless embed sessions are no longer timing out for me.