I have a few questions regarding authentication and embedding.
Requirements:
- I want to embed a dashboard in my web application. Only a user who logs in to my app should be able to view the dashboard. I am planning to use one Metabase superuser to display dashboards for my web application (one superuser per client, each client can have ‘n’ users).
What I have tried:
-
Currently I am able to embed a dashboard using the code(and secret embed key) provided in the embed option for the dashboard (for Node.js). But this method doesn’t seem to have any authentication flow since the provided secret key is stored on my server side code and doesn’t require a session id.
-
Embedding the dashboard by generating a secret key using (GET /api/util/random_token) and using that to sign the jwt token instead of the one provided by Metabase in the ‘Embed Section’ of the Admin Panel. I received an error saying that the ‘Message was corrupted or manipulated’.
How I would like the flow to be:
- When the user logs in to my web app, I want to get a session id using an api (eg. POST /api/session/). Use that session id to generate a secret key using (GET /api/util/random_token). Then use the generated secret key to sign the jwt and call the dashboard using (GET /api/embed/dashboard/:token) in my web application.
Is the above scenario possible ? Or do I only have to use the secret key provided by Metabase in the ‘Embed Section’ of the Admin Panel ? Is embedding and authentication(i.e using Metabase session id) not related ? Any help will be greatly appreciated.
Thanks,
Harsh