Secure embedding

As a concept, embedding displays a DoubleCloud Visualization chart inside an iframe . To prevent your embedded content's viewers from getting unauthorized access to your data through the iframe, we sign every embedded entity with a JSON Web Token (JWT).

Embedded chart rendering process

If you want to integrate a chart into your product, your web server will need to make requests to DoubleCloud each time the user updates the page containing the iframe with a chart.

You can see the process in the following diagram:


As shown above, the process of embedding passes through the following stages:

  1. The user opens the web page containing an iframe. It sends a request to the Visualization address that looks as follows:<TOKEN>
  2. The browser extracts the token from the above URL and sends it to the Charts API.

  3. The API exchanges the token for the chart configuration. At this stage, the service:

    • Extracts the chart's embed ID from the token to retrieve the secrets from the database.

    • Validates the token using the secret's public key.

    • Verifies the query to the data source. It checks whether the embedded chart's Entry ID corresponds to the chart_id and the identifiers of all its relevant dependencies.

  4. After receiving the chart configuration, the service processes the visualization the same way it does within the DoubleCloud console.

  5. The Data Backend uses the extracted token to fetch configurations for the embedded chart's connection and dataset.

  6. The United Storage unpacks the token and uses the chart's embed ID to validate the token and to authorize the current query.

Using unsigned parameters

If you specify one or more unsigned parameters while creating an embedding entity, you can pass those parameters directly to the URL, not to the JWT token.

This allows changing some chart parameters on the client side without regenerating the embedding token on the client. It can help implement such a date-time interval picker:


Row-level security in embedded charts

Row-level security (RLS) allows you to limit user access to data within the dataset used to generate a chart.

By default, the token for the embedded chart transfers no specific user credentials. This means the dataset will block the embedded chart's access to any RLS-protected fields.

If you want to display specific RLS-protected data in your embedded chart, pass a username as a signed parameter to apply the relevant RLS settings to your embedded chart.

See also