Same dashboard embed url failed to render second time

Hi,

I’m using generate_embed_url_for_anonymous_user(SessionTags is being used and SessionLifetimeInMinutes is set to 600) to render url for frontend to embed. This is all working fine until I navigated away from the page embedding the dashboard and back where I got error “Embedding failed because of invalid URL or authorization code. Both of these must be valid and the authorization code must not be expired for embedding to work”.

So internally, I’m using GraphQL endpoint to generate the embed url for frontend, I think when I revisited the page GraphQl will use the cached url instead of sending the request again and this is where the issue occurred. I think this should work as the session/token is still valid? Is it possible that I don’t need to call GraphQL endpoint every time the page is visited until the session is expired?

Also, since url is exposed in frontend. Customer can potentially tamper the url since I have included some sensitive params in the url. How QuickSight is able to prevent this?

Thanks,

1 Like

hi @Leon,

the URL generated by the API has 5 min validity as the temporary session token is contained. and once it is redeemed within the period, it can’t be reused again. when you navigated away from the embedded dashboard page and revisited, I am wondering if the user session is renewed… and then it tried to use the same URL generated earlier from the cache…?

for your sensitive parameters, you can pass parameters using javascript SDK : amazon-quicksight-embedding-sdk - npm

hope this helps.

kind regards,
Wakana

https://docs.aws.amazon.com/cli/latest/reference/quicksight/generate-embed-url-for-anonymous-user.html

Thanks for the reply @Wakana

So you are saying once the url is used it can’t be reused to render the dashboard even within this 5 mins of session?

when you navigated away from the embedded dashboard page and revisited, I am wondering if the user session is renewed

By default, the call to generate_embed_url_for_anonymous_user only executed when GraphQL doesn’t have the result cache, all the subsequent call will use the cached version util page is refreshed. This is when I get the error. I can fix the issue by making GraphQL to make the call every time page is visited but just wondering why this is the case where I get error when I use the same dashboard url seconds after it’s generated.

Thanks,

yes for security reason, the generated URL has validity and single use only, which prevents the URL from being passed to anyone who would be able to see the dashboard.

but once it is redeemed on the browser, as long as the session whose length you configured as 600s is valid, the embedded dashboard is available. I am guessing when you revisit the page, the page is reloaded (=the session is renewed)?

kind regards,
Wakana

for your sensitive parameters, you can pass parameters using javascript SDK : amazon-quicksight-embedding-sdk - npm

I’m using a lambda to generate the dashboard by calling generate_embed_url_for_anonymous_user from boto3 quicksight client and client side will simply embed the url passed from the lambda. I prob will not use the JS sdk.

My concern is the dashboard url will be exposed to the client side and what kind of OOTB mechanism is in place to prevent user from tampering with the url from QuickSight end. I also have RLS enabled for the sensitive column.

Pointers to the issue are also appreciated.

Thanks,

1 Like

If I use GenerateEmbedUrlForRegisteredUser to get EmbedUrl, can I use the embedUrl multiple times?
Currently, I can only use the embedUrl once. I am use the following code to get embedUrl:

		var credentials = await AssumeRole(_userName, _iamRoleArn);
		var client = new AmazonQuickSightClient(credentials, _region);
		try
		{
			var ret = await client.GetDashboardEmbedUrlAsync(new GetDashboardEmbedUrlRequest
			{
				AwsAccountId = _awsAccountID,
				DashboardId = _dashboardId,
				Namespace = default,
				IdentityType = EmbeddingIdentityType.QUICKSIGHT,
				SessionLifetimeInMinutes = 600,
				UndoRedoDisabled = true,
				ResetDisabled = true,
				UserArn = _userArn
			}).ConfigureAwait(false);
			return ret.EmbedUrl;
		}
		catch (Exception ex)
		{
			Console.WriteLine(ex.Message);
		}
		return null;

Can you tell me what is wrong? If you have an example, please let me know. I am stuck now.