dosubot[bot] commented on issue #33902: URL: https://github.com/apache/superset/issues/33902#issuecomment-3004179195
<!-- Answer --> A 403 Forbidden error when embedding dashboards with guest tokens in Superset is usually caused by one of these issues: - The guest token is missing required claims, is expired, or is not scoped to the correct dashboard. Make sure the token includes the correct dashboard id or uuid in its resources and is signed with the right secret and audience settings. Any mismatch or missing claim will cause a 403 error ([details](https://github.com/apache/superset/blob/6876a1e6843cd1f28f4206ca2dd75342dfddcf26/superset/security/manager.py)). - The dashboardId is missing from the form_data sent to the backend (especially after recent frontend refactors). This is a known cause of 403 errors for embedded dashboards. Ensure that your embedding code includes the dashboardId in all chart data requests ([see fix](https://github.com/apache/superset/issues/32552), [another example](https://github.com/apache/superset/issues/32869)). - The EMBEDDED_SUPERSET feature flag must be enabled, and the dashboard must be published and configured for embedding. The allowed_domains for the embedded dashboard must include the domain from which you are embedding, and the referrer must match ([source](https://github.com/apache/superset/blob/6876a1e6843cd1f28f4206ca2dd75342dfddcf26/superset/embedded/view.py)). - CORS and X-Frame-Options headers must allow embedding from your domain. Check your superset_config.py for ENABLE_CORS, ALLOWED_DOMAINS, and OVERRIDE_HTTP_HEADERS settings ([example config](https://github.com/apache/superset/issues/33702)). - If you use GLOBAL_ASYNC_QUERIES, embedding and Superset must be on the same domain, or async features may fail and cause errors ([see discussion](https://github.com/apache/superset/issues/33561)). - Row-level security (RLS) rules can cause 403s if misconfigured or referencing missing columns ([see example](https://github.com/apache/superset/issues/32869)). Troubleshooting checklist: 1. Double-check your guest token generation: correct dashboard id/uuid, correct secret, correct audience, not expired. 2. Make sure dashboardId is present in all form_data sent to the backend. 3. Confirm EMBEDDED_SUPERSET is enabled and the dashboard is published and configured for embedding. 4. Verify allowed_domains for the embedded dashboard includes your embedding domain, and the browser referrer matches. 5. Check CORS and X-Frame-Options settings. 6. If using async queries, ensure embedding and Superset are on the same domain. 7. Review any RLS rules for errors. If you still see 403s, please share your guest token payload (with secrets redacted), your superset_config.py embedding-related settings, and the network request details for the failing API call. This will help pinpoint the issue. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/0366c702-3afc-4993-a08e-e1416999d1ac?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/0366c702-3afc-4993-a08e-e1416999d1ac?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/0366c702-3afc-4993-a08e-e1416999d1ac?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/0366c702-3afc-4993-a08e-e1416999d1ac?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/0366c702-3afc-4993-a08e-e1416999d1ac?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/0366c702-3afc-4993-a08e-e1416999d1ac?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/0366c702-3afc-4993-a08e-e1416999d1ac?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [! [Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/33902) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
