Using EmbedSDK with custom auth/login flow

  • 17 November 2022
  • 1 reply

I’m having issues getting my head around the auth flow here.

My flow is that I create a Looker user through the 4.0 Javascript SDK, and that’s all fine. I initialise the SDK on my server side (AWS Lambdas) using LOOKERSDK_CLIENT_ID and LOOKERSDK_CLIENT_SECRET that I embed for a common API user, purely for SDK init purposes. 

Once my own system user logs in I then grab their user specific client_id and client_secret that I have previously generated and stored in my own DB. I call sdk.login_user({client_id, client_secret}), and generate an authToken that can be pulled back to my React app, following the flow described in the LookerEmbedReference repo. The docs here suggest creating the browser side sdk with the CorsSessionHelper to manage user auth. Again, all fine.


My problem is that when I have created the token (by logging in the user on the SERVER side) I then try to use that token in the CorsSessionHelper util to do a basic call to get the user details to pass to LookerEmbedSDK, and keep getting unauthenticated errors from the sdk. 


So I’m becoming very confused here as to what I’m doing wrong. Am I making the wrong assumption that I should be using a service account credential to login each user on the server side? Will that auth token still be valid when returned to the browser in order to login/init the browser side sdk?


I can’t use the OAuth flow (I’m assuming I can’t anyway) due to the fact that I don’t want my users to have to directly log into Looker, which the docs suggest is a possibility when using the OAuth flow if they don’t have an active Looker session. I need to manage that internally. Which again the LookerEmbedReference repo suggests can be done using the CorsSessionHelper type setup.


So what am I missing? The user gets logged in on the server side, the access_token is created and returned, and the browser side sdk is initialised with that token endpoint and returned access_token. 

But then instantly I get a 401 when calling in the browser to actually verify the user. I’m stuck now trying to understand if my flow assumptions are correct. Should the sdk.login_user be done in the browser side? Is there a way to verify the browser sdk is correctly initialised?


There’s obviously a clear and easy way to manage this flow as it’s not overly complicated, I just can’t see what part I’m missing.


We’re under pressure to get this working and released so any help is appreciated :) 

This topic has been closed for comments

1 reply

Additional data - if I move my server side node sdk init to the auth endpoint that the EmbedSDK wants, I get errors indicating that looker is trying to call directly from an external endpoint (Looker) - my auth endpoint is internal/secured, so is this correct behaviour?


Second additional data - I removed the auth endpoint from my LookerEmbedSDK.init call to test, and the init passes, as does the createDashboardWithId(), and I see a bunch of the chatty debug messages in my browser console, but no error and no dashboard.


What stupid assumption am I making?