Hello,

I’m working on a project to embed a Looker dashboard using the SSO embedding approach. Our client application provides an iframe and our application server provides the iframe’s src url using this pattern on the same page. This is all working fine - we are able to view and interact with the embedded dashboard in our application.

The problem, however, is it seems that when a user minimizes our application, views a different browser tab, etc. while our web application is in the background, upon returning to our application showing the embedded iframe, this error is thrown from the iframe:
 

The hosting application failed to send valid session tokens.
This may be a problem in the hosting application
but it could also be indicative of connection issues.

The source of the error seems to be from a Looker source file named something like scene_embed.js. Tracing through this file, it is clear that there is a visibilitychange event listener that kicks off a logic flow responsible for checking and requesting for valid session tokens. 

In regards to the Looker JavaScript Event documentation, it appears that this flow of logic sends a session:tokens:request event to the embedding client application. I have read up on the Action Reference documentation for this session:tokens:request event, but it leaves a some to be desired.

The questions I’m left with are as follows:

• First and foremost, when using the SSO approach, why is our embedded Looker instance requesting for session tokens in the first place? It is my understanding that we do not exchange tokens for this approach - we just use a signed url as the src of the iframe and Looker adds cookies if the url is valid.
• If the client application is responsible for responding to the session:tokens:request event/message, what is it expected to respond with beyond the properly formatted JSON { type: ‘session:tokens:request’ } data that is documented in order to get around this error?
• In general, how does the client application resolve the error quoted above?

For some added context, ignoring this error isn’t possible and it has become a problem for us because we would like to capture the session:status message in order to determine when the session has expired. Our client application can then provide the end-user a reload button that when clicked, generates a new SSO url for the iframe effectively renewing the session and allowing the user to continue. Again, tracing through the scene_embed.js source tells me that the check for valid tokens is closely tied to the logic that sends the session:status message to the embedded application. When Looker is missing valid session tokens, it seems the session:status message is never sent, unless I’m misunderstanding something crucial here.

What am I missing?