GitHub user stgztsw added a comment to the discussion: The issue regarding obtaining an Embedded Token
> When you access Superset via embedding with a guest_token, the "current > visitor" is a special GuestUser created from the claims in that token. This > user is authenticated, but is not a regular logged-in user or the anonymous > Public user. Superset checks permissions for dashboards, charts, and datasets > based on the resources listed in the guest_token and the permissions of the > guest role (by default, the "Public" role, but configurable via > `GUEST_ROLE_NAME`) [[code > reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/guest_token.py)]. > > If you see "Forbidden" errors on API endpoints like `/api/v1/dashboard/10`, > it means the guest_token does not include the required resource (dashboard, > chart, or dataset), or the guest role does not have permission to access it. > To resolve this: > > 1. Make sure the guest_token includes the correct resources (dashboard, > chart, dataset IDs) in its `resources` claim. > 2. Ensure the guest role (usually "Public") has the necessary permissions to > access those resources. You may need to adjust the role's permissions in > Superset's security settings. > 3. The dashboard must be published and configured for embedding, and the > embedding domain must be allowed [[code > reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/dashboards/filters.py)]. > > So, you should grant authorization to the guest user defined by the > guest_token—by both including the right resources in the token and ensuring > the guest role has access to those resources. If either is missing, Superset > will return a 403 Forbidden error [[code > reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py)]. > > _To reply, just mention [@dosu](https://go.dosu.dev/dosubot)._ > > How did I do? > [Good](https://app.dosu.dev/response-feedback/575852c4-96ca-4a44-97bf-41f77118680c?feedback_type=great_response) > | > [Irrelevant](https://app.dosu.dev/response-feedback/575852c4-96ca-4a44-97bf-41f77118680c?feedback_type=irrelevant_answer) > | > [Incorrect](https://app.dosu.dev/response-feedback/575852c4-96ca-4a44-97bf-41f77118680c?feedback_type=incorrect_sources) > | > [Verbose](https://app.dosu.dev/response-feedback/575852c4-96ca-4a44-97bf-41f77118680c?feedback_type=too_verbose) > | > [Hallucination](https://app.dosu.dev/response-feedback/575852c4-96ca-4a44-97bf-41f77118680c?feedback_type=hallucination) > | [Report > 🐛](https://app.dosu.dev/response-feedback/575852c4-96ca-4a44-97bf-41f77118680c?feedback_type=bug_report) > | > [Other](https://app.dosu.dev/response-feedback/575852c4-96ca-4a44-97bf-41f77118680c?feedback_type=other) > [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35670) Hi @dosu, Do you mean I need to claim the chartId and datasetId that require access in the resources field? I don’t think this is a normal handling method, because if I modify the dashboard to add or replace a chart, I will have to re-modify the request code for embedding the report? const token = await axios.post('http://172.19.145.51:8088/api/v1/security/guest_token/', { "resources": [{ "type": "dashboard", "id": dashboardId }], "user": { "username": "test" }, "roles": ["Viewer"], "rls": [] }, { headers: { 'Authorization': `Bearer ${accessToken}`, 'X-CSRFToken': csrfToken, }, withCredentials: true, token: accessToken, csrfToken: csrfToken, }); console.log(token); return token?.data.token; } GitHub link: https://github.com/apache/superset/discussions/35670#discussioncomment-14695957 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
