Last tested:  June 2020

What is it?

The Cross-Origin Resource Sharing (CORS) is a mechanism that allows browser-based applications to directly call the Looker API without having to use an intermediary proxy server for the API calls! This will make it so you can more easily use the Looker API in you apps without implementing additional infrastructure. CORS greatly simplifies PBL application setup. It saves developer time, infrastructure costs, and operational overhead.

How to install it?

1. Go to {{ host_url }}/admin/labs page

2. Enable the Experimental feature “Looker API CORS”

3. Open the Web API Explorer (most often {{ host_url }}:19999/api-docs/index.html)

4. Select the version API 4.0 from the dropdown (3.0 and 3.1 do not have this call)

5. Login with your API client_id & client_secret (or go create them if you haven’t)

6. Use register_oauth_client_app() to define your web app for Looker

7. In your web app, when you want to engage the Oauth login with the interactive user, you send a web request to the /auth endpoint on the Looker UI web service (port 9999 in local dev)

8. This will bounce through the normal Looker login page, using whatever login system the Looker instance has been configured to use (LDAP, SAML, etc).

9. A) If the user is already logged into Looker UI in the current browser (live login cookie state), the user won’t be prompted to enter creds.
   B)/ If this is the first time this user has engaged with this web app, looker will show a disclosure/confirmation page for the user to acknowledge/accept. Are you sure? kinda thing.  The description text in the app registration is what will be displayed - it should indicate what the app intends to do with the user’s Looker account. When the user clicks accept, the page will redirect to your app redirect_uri
   C)/ If the user is already logged into Looker in the current browser and has already acknowledged the disclosure page, then the Oauth login “bounce” through Looker login will be instantaneous with no visual interruption. boom, done.

10. When the Oauth redirect lands in your app, grab the auth code in the URI params.

11. Make a web request to the /token endpoint on the Looker API web service, passing in the auth code and your app info

12. A successful response will provide you with an API access_token which is enabled for CORS api requests, but only from your web app domain.

13. The auth response will also contain a refresh_token which you can use later to get a new access_token without user interaction. refresh_tokens have a 1 month lifetime. Store these carefully/securely.

14. all tokens in this system can be revoked by admin action at any time. Apps should always be prepared to fall back to interactive user login (Oauth auth_code workflow).

Things to Know!

• Which Looker versions support CORS? Looker version 7.10+

• Which Looker API versions support CORS? It is only supported on API 4.0 APIs.

• How long is the lifetime of the refresh_tokens? 1 month

• Can I just use CORS to access the /login endpoint? No, it is forbidden, web applications should not touch user credentials.

• When the UI admin page is developed what will be there? The admin page will allow to configure & administrate the CORS api enablement, and Oauth web app registration.

• When enabling the instance feature, do we expect this to have any implications for customers who've already implemented applications via a proxy? All existing apps that access the Looker API via server scripts, /login with API creds should be completely unaffected by the new CORS support.

• Will there be a limit to the number of applications that can be registered? Nope, there are no limits put in the product’s code.

• The OAuth related API calls are showing as Beta, do we have an idea when these would become GA? The Oauth feature and Oauth associated endpoints will advance to “stable”/GA on the same timeline as API 4.0 GA.

• Can I share tokens across apps? CORS access_tokens are not and will not be sharable. They should only be usable by the web app they were created for!