Create embed user with API

svickers
Participant III

We need to create a user in Looker before we try to embed a dashboard but having trouble figuring out if it is even possible to create one with the API. I’ve tried posting to the create user endpoint with embedcredentials populated, but no luck. There is also no endpoint listed in the documentation to create embed credentials on their own like you can with other credential types. Has anybody had any luck with this?

0 18 4,417
18 REPLIES 18

It is possible to create an embed user via the API with the create user endpoint as long as you provide arguments for the credentials_embed array.

It is also possible to create users with the examples provided in our SSO examples GitHub repository. This doubles as an efficient way to build the embed URL too.

For more information please see our sso embed documentation.

Hoping this helps!
Bernard

svickers
Participant III

I gave that a shot yesterday but realized none of the embedded credentials were being sent to the api because in the swagger file they are all marked as readonly, this causes the generated .net client to not serialize them to json at all when posting the new user. That seems like an error in the swagger definition.

But I corrected it on my end so embed creds are definitely being posted, but the user is still being created as just a standard looker user. Here is the sample request:

POST https://xxx.looker.com:19999/api/3.0/users HTTP/1.1
Authorization: Bearer xxx
User-Agent: FxVersion/4.6.26814.03 Looker.LookerClient/1.0.0.0
Request-Id: |d797b619-4c8dcf38d2aec6ba.2.
Content-Type: application/json; charset=utf-8
Content-Length: 137
Host: xxx.looker.com:19999
{
  "first_name": "test",
  "last_name": "test",
  "credentials_embed": [
    {
      "external_user_id": "blah-blah"
    }
  ]
}

Response:

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Mon, 08 Oct 2018 20:50:50 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 831
Connection: keep-alive
Set-Cookie: looker.browser=12; expires=Thu, 07 Oct 2021 20:50:50 -0000; HttpOnly
Vary: Accept-Encoding
X-Content-Type-Options: nosniff

{
  "id": 88,
  "first_name": "test",
  "last_name": "test",
  "email": null,
  "is_disabled": false,
  "avatar_url": "https:\/\/gravatar.lookercdn.com\/avatar\/d41d8cd98f00b204e9800998ecf8427e?s=156&d=blank",
  "home_space_id": "111",
  "personal_space_id": 111,
  "credentials_email": null,
  "credentials_totp": null,
  "credentials_ldap": null,
  "credentials_google": null,
  "credentials_saml": null,
  "credentials_oidc": null,
  "credentials_api": null,
  "credentials_api3": [
    
  ],
  "credentials_embed": [
    
  ],
  "credentials_looker_openid": null,
  "locale": "en",
  "looker_versions": [
    
  ],
  "ui_state": null,
  "sessions": [
    
  ],
  "presumed_looker_employee": false,
  "verified_looker_employee": false,
  "embed_group_space_id": null,
  "display_name": "test test",
  "role_ids": [
    
  ],
  "group_ids": [
    1
  ],
  "url": "https:\/\/localhost:19999\/api\/3.0\/users\/88",
  "can": {
    "show": true,
    "index": true,
    "show_details": true,
    "index_details": true,
    "sudo": true
  }
}

Hey Scott,

Would you mind explaining your use case for creating the user first?

When we create users with a script at the same time as the embed url, as shown in our SSO examples GitHub repository that Bernard linked to above, we declare the permissions that user should have as part of creating them.

Embed users don’t usually get direct access to Looker - they access through the application or site where you’re embedding, so they don’t have credentials in the same way that Looker users do.

Best,
Molly

svickers
Participant III

Hi Molly - We are rolling our own filter implementation that is outside of the iframe. In order to get potential filter values we are using the query api, but this must be run in the context of the current user for data security. In our system we store the clientid and secret with our user records, if those are blank then we hit the endpoint to create api3 credentials for the user. This is a problem if the user does not yet exist in Looker.

To mitigate not being able to create the user with the api, we are showing an intermediate page after they login to our system that has a 1x1 iframe pointing to a blank dashboard. This way we are sure the user now exists in Looker. A bit of a hack for sure and something we will always need to remember to carry forward as the product evolves.

@svickers
If you look at the previous comment. The SSO method of integrating and doing exactly what you are after is in there. We are doing this for our current and two future projects and it works without the need for API integration and allows for queries to be run as the current user, with external filtering. You just need to know how to compile the IFrame URL.

Paul

Hi Molly,

I’d like to chime in because we’re doing something similar. We’d like to create an embed user with API credentials, so that we can display embedded iframes and custom graphs using data from the API in our own portal. Part of the reason we want to do this is because loading several iframes at a time can be cumbersome.

We’d like to do this by creating the embedded user first (on login to the portal) with API keys, and then generate the embeds/graphs afterwards. I suppose we could work around this by loading the iframe from our portal server, doing a search for the user (based on the external_id), and then generating the API keys, but this is a little hacky and doesn’t seem to be a good practice.

Hey @chrism1,

I hope all is well! Would you mind elaborating on why the SSO embedding option would not fulfill the needs of this use case? Just trying to ensure that I have a clear understanding on my end.

Thanks,

Leticia

Hi Leticia,

The main use case here is mixed use of embeds and API calls. There are two reasons for this:

  1. Speed - in one dashboard of our portal, we’re embedding 6 iframes, 4 of which are single stat visualizations. Loading up 6 iframes is slow, and we’d like to display the single stat metrics without an iframe, so that it will render faster.

  2. Look and feel - given the example in #1, while the graph type visualizations look good while embedded as an iframe, the single stat metrics don’t fit in as well. I think they will look much better if we can style them using our own CSS framework.

I’ve thought about creating a regular user via the API, but then I’m not sure if the embeds will work unless Looker supports passing the access token as a GET variable. Even if that works, I’d rather not have the Looker access token accessible by the user, and would prefer to route any API type requests through our own service.

Thanks,

–Chris

Hi @chrism1

Thanks for the explanation! We might be able to use the login_user endpoint to create access tokens for your embed users - these users would already need to exist, but then you could use their individual access tokens for API calls.

Best,
Molly

HI,

I know this is an old thread, but something that a number of my clients do is the following:

  • Construct the embed URL for a new user. It can point to a blank dashboard in a shared space. This URL encodes all important info about permissions, groups, user_attributes, etc.
  • Make a server side call to that embed URL. This will create the embed user with all the aforementioned configurations.
  • Instantiate the Looker API using Admin credentials
  • use the login_user endpoint to sudo as the embed user
  • Make whatever API calls you need to make as that embed user

I wrote more about this here. Check it out!

ezmarques
Participant I

Hi Jesse,

I did exactly what you suggests but its not working.

When I call the endpoint /api/4.0/queries/run/ with the embed user token, I receive a 404 error.

Can you please help me out?

ezmarques
Participant I

Hi Jesse,

The problem was I created an embed user that did not have access to any model.

After I assign the user to a group it worked perfectly!

Nice @ezmarques! glad you were able to get things to work! By the way, I see you’re using the 4.0 version of Looker’s API. This is an experimental version of our API. I would recommend not using it in any production environment. The 3.1 version is the current stable version.

Hi Guys, the SSO embed URL works fine for me , but when am trying to use the API to create embed user , the user gets created as normal looker user and embed credentials and groups I assigned is not reflecting. even the response for embed credential is blank. Can someone help
Request

{
“credentials_api3”: [],
“credentials_email”: null,
“credentials_embed”: [
{
“external_group_id”: “team1”,
“external_user_id”: “user-18”,
“type”: “embed”,
“is_disabled”: false,
“can”: {}
}
],
“credentials_google”: null,
“credentials_ldap”: null,
“credentials_looker_openid”: null,
“credentials_oidc”: null,
“credentials_saml”: null,
“credentials_totp”: null,
“email”: null,
“first_name”: “Testing”,
“home_space_id”: “1”,
“last_name”: “API”,
“locale”: “en”,
“models_dir_validated”: false,
“ui_state”: null,
“home_folder_id”: “1”,
“presumed_looker_employee”: false,
“sessions”: [],
“verified_looker_employee”: false,
“roles_externally_managed”: false,
“allow_direct_roles”: true,
“allow_normal_group_membership”: true,
“allow_roles_from_normal_groups”: true,
“display_name”: “Testing API”,
“group_ids”: [
7
],
“is_disabled”: false,
“role_ids”: [
3,
73
],
“can”: {
“show”: true,
“index”: true,
“show_details”: true,
“index_details”: true,
“sudo”: true
}
}

svickers
Participant III

It is not possible to create embed users with the API. If you construct an SSO url and make a get request through server side code, or put it in an 1x1 iframe on a page it will create the user. After that you can do API calls in the scope of the embed user.

I’m looking for a way to update the embed credentials of a user, any idea how to do that ? I cannot recreate the embed user since I want him to keep his personal dashboards but I need to update because external_user_id field of the embed credentials.

I cannot construct an SSO url using the new external_user_id since it will create a new user.

Hi, according to the second comment

It is possible to create an embed user via the API with the create user endpoint as long as you provide arguments for the credentials_embed array.

Could you share with me example of API call for python? Now I see empty embedded section after user creation.

@DartBond @svickers  @jesse_carah is there an update on this?

if we are trying to embed into a mobile app then it would be nice not to create embed url or use 1x1 iframe, the purpose of embedding (I think) would be to use an external userid etc.