You can embed SeekTable reports into your web application in a secure way by enabling JWT-based authorization for published reports or read-only app view. Secure embedding is available only for self-hosted SeekTable and only for users with Advanced Publishing subscription. How it works:
Your web app
Generates secure JSON Web Token |
→
|
Secure report link
JWT is passed to SeekTable report as an URL parameter or cookie |
→
|
SeekTable
Decodes/verifies JWT and applies claims as report parameters. |
JWT lifetime can be is limited by its expiration date. JWT claims (payload) may be contain report parameters and in this way you can organize row-level security for embedded reports (without SSO): each 'main' app user may have its own set of parameters that restrict access to the data. Users cannot change these parameters because their JWT tokens are signed with a secret key. JWT tokens may be encrypted with symmetric algorithm, and in this case even values of parameters passed in JWT are secured (cannot be accessed by end-users).
If you want to evaluate this feature before purchase you can request free 14-day trial.
How to enable JWT-based auth for embedded SeekTable views:
Find docker-compose.seektable.env
file and add the following lines:
SeekTable_ST:PublicReport:AuthJwtUrlParameter=auth SeekTable_ST:PublicReport:AuthJwtCookieName=cookie_name_or_empty_if_not_used SeekTable_ST:PublicReport:AuthJwt:ValidIssuer=your_web_app_issuer_value SeekTable_ST:PublicReport:AuthJwt:ValidateIssuer=true SeekTable_ST:PublicReport:AuthJwt:ValidateAudience=false SeekTable_ST:PublicReport:AuthJwt:ValidateLifetime=true SeekTable_ST:PublicReport:AuthJwt:ValidateIssuerSigningKey=true SeekTable_ST:PublicReport:AuthJwt:IssuerSigningKeyString=your_secret_signing_key_min_16_chars
If you want to use encrypted JWT also add:
SeekTable_ST:PublicReport:AuthJwt:TokenDecryptionKeyString=your_secret_decryption_key_min_16_chars
Then re-create seektable/seektable
docker container (this is performed automatically if you use docker-compose up
to start the containers).
Now you should see Security tab on "Configure Published Report" form:
The following code snippets illustrate how to generate JSON Web Token (.NET):
var handler = new JwtSecurityTokenHandler(); var signingCredentials = new SigningCredentials( new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_signing_key_min_16_chars")), SecurityAlgorithms.HmacSha256Signature); var token = handler.CreateJwtSecurityToken( subject: new ClaimsIdentity(new[] { new Claim("report_param_name", "report_param_val") }), signingCredentials: signingCredentials, audience: "", issuer: "your_web_app_issuer_value", expires: DateTime.UtcNow.AddMinutes(30)); var jwt = handler.WriteToken(token);
var handler = new JwtSecurityTokenHandler(); var signingCredentials = new SigningCredentials( new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_signing_key_min_16_chars")), SecurityAlgorithms.HmacSha256Signature); var encryptCredentials = new EncryptingCredentials( new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_decryption_key_min_16_chars")), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256); var tokenDescriptor = new SecurityTokenDescriptor { Audience = "", Issuer = "your_web_app_issuer_value", Subject = new ClaimsIdentity(new[] { new Claim("report_param_name", "report_param_val") }), Expires = DateTime.UtcNow.AddMinutes(5), EncryptingCredentials = encryptCredentials, SigningCredentials = signingCredentials }; var encryptedJwt = handler.CreateEncodedJwt(tokenDescriptor);
If you don't use C#/.NET please check your development platform about how to generate JSON Web Token. Notes:
There are 2 ways how you can pass generated JWT to the report embedded with IFRAME:
SeekTable_ST:PublicReport:AuthJwtUrlParameter
setting)SeekTable_ST:PublicReport:AuthJwtCookieName
)Important notes:
If you want to offer to users of your app capability to make ad-hoc queries you can embed read-only SeekTable app view - to get the point just imagine that whole demo.seektable.com view is embedded (without top-menu):
Technically this works in this way:
seektable_user_email
with login email of SeekTable 'master' account you want to embed.
This JWT may contain additional name-value pairs to override appropriate report parameters (end-users will not be able to change these report parameters).