Jonathan - Hello! We are working on a new produ...
Hello! We are working on a new product and I'm trying to embed a liveboard in it. In our other product we have this working but in the new product the embed widget shows a 403 forbidden error.
A few differences:
We are now using sub-organizations
The old product is in PHP and makes API calls through Guzzle, with the liveboard embedded using vanilla Javascript
The new platform is in NextJS (React) with the backend in NestJS, with the liveboard embedded using components
What does work:
All the backend API calls work
I can create users with auto_create=true
Users do show up in the sub organization
User groups do show up in the sub organization
The session callback works and returns a token
The call to our workspace /callosum/v1/session/isactive does not produce any errors
What doesn't work:
[domainredacted]/?embedApp=true&hostAppUrl=local-host&viewPortHeight=327&viewPortWidth=1512&sdkVersion=1.41.0&authType=AuthServerCookieless&blockNonEmbedFullAppAccess=true&cookieless=true&hideAction=[%22reportError%22,%22addToFavorites%22,%22makeACopy%22,%22renameModalTitleDescription%22,%22saveAsView%22,%22createLiveboard%22,%22AskAi%22,%22edit%22,%22pin%22,%22createMonitor%22,%22schedule-list%22,%22subscription%22,%22manageMonitor%22,%22showUnderlyingData%22]&preAuthCache=true&overrideConsoleLogs=true&clientLogLevel=ERROR&isLiveboardEmbed=true&isLiveboardHeaderSticky=true&isLiveboardHeaderV2Enabled=false&showLiveboardVerifiedBadge=true&showLiveboardReverifyBanner=true&hideIrrelevantFiltersAtTabLevel=false&enableDataPanelV2=true&enableCustomColumnGroups=false&arePdfCoverFilterPageCheckboxesEnabled=false&isLiveboardXLSXCSVDownloadEnabled=false#/embed/viz/2af65637-d302-4569-847f-4fd53f89f133
That call produces a 403. The new domain is added to all the security settings boxes. Nothing else was changed at the primary org level. Does anyone know what else I can check to diagnose why I'm getting a 403 from that call?
17 Replies
Hi @jONEz do you see any errors in console logs? If yes, please share that. Along with HAR file.
This liveboard is in a sub-org, so in all the API calls I have org_id set. The URL I tried using orgId in the init call but that didn't seem to do anything. For our host URL I'm using the same value as before, cardata.thoughtspot.cloud
Lindi put a support ticket in and they mentioned using the sub-org url, is that different? Where do I find it?
Tried some debug code I found in your documentation, it shows SDK Success
Hey @jONEz ,
Any mention of localhost in url is blocked by firewall.
you are using iconSprite=http://localhost:3000/img/thoughtspot-icons.svg, this is the reason for getting 403 , the firewall is blocking.Can you host this file on a proper cdn site and try.
Thanks.
I removed that and it still shows a 403.
Hey @jONEz ,
Can we do the following checks :
1. Ensure your new domain (including the port, e.g., localhost:3000 for local dev) is added to the CSP visual embed host and CORS allowlists in the ThoughtSpot Security Settings. Wildcards are not supported - you must specify the exact domain and port.
2. The user must have at least view access to the Liveboard and its underlying data source in the correct sub-organization.
I'm assuming you are trying to access the liveboard in embed with same user which has the liveboard access and that particular org.
When embedding from a sub-organization, you must explicitly set the org context. In the Visual Embed SDK, use the overrideOrgId parameter in your SDK initialization or embed config to ensure the embed loads content from the correct sub-org. The base host URL remains the same, but the org context is determined by this parameter. If you do not set it, you may get a 403 even if the Liveboard opens directly in the UI for that user and org.
If all good, we can get on a call. I think we already have support ticket - with internal thread.
Thanks.
Also has the error changed to somethign else can we get new har and new console logs.
Can we schedule a call? I tried what you said and I'm still getting a 403. I will attach a new HAR
I tried setting this in the EmbedConfig but it gave me an error saying the property is unknown. The only place I could put it to not produce an error was here. Still getting the 403.
I have that parameter in my token request call as well
the above har still shows the usage of iconspriteURl
Sure, please schedule a call. I think you already have internal ticket. and email thread. I'll add these details there.
CC : @jbc
Yeah it didn't make a difference but I can make another one with out
OH! Something must have been cached, it did load without that
yes please, that will help. I should have mentioned about the cache 9issue .
Give me a few to do some more tests
Ty for the help! It's loading now and I fixed the sprite sheet by mapping to a domain. It was a combo of both the org override and localhost.
Is there a way for me to mark this as resolved?
It's fine. I think there was email thread going on just maybe reply there. Thanks