Setup SeekTable for secure embedding
You can embed SeekTable reports into your web application in a secure way by enabling JWT-based authorization for published reports. Secure embedding is available only for self-hosted SeekTable and only for users with Advanced Publishing subscription. How it works:
|
Your web app
Generates secure JSON Web Token |
→
|
Secure report link
JWT is passed to SeekTable report as an URL parameter or cookie |
→
|
SeekTable
Decodes/verifies JWT and applies claims as report parameters. |
JWT lifetime can be is limited by its expiration date. JWT claims may be used as report parameters and in this way you can organize row-level security for embedded reports (without need to use SSO). JWT may be encrypted with symmetric algorithm if needed.
If you want to evaluate this feature before purchase you can request free 14-day trial.
Part 1: Configure SeekTable JWT validation for published reports
Find docker-compose.seektable.env file and add the following lines:
SeekTable_ST:PublicReport:AuthJwtUrlParameter=auth SeekTable_ST:PublicReport:AuthJwtCookieName=cookie_name_or_empty_if_not_used SeekTable_ST:PublicReport:AuthJwt:ValidIssuer=your_web_app_issuer_value SeekTable_ST:PublicReport:AuthJwt:ValidateIssuer=true SeekTable_ST:PublicReport:AuthJwt:ValidateAudience=false SeekTable_ST:PublicReport:AuthJwt:ValidateLifetime=true SeekTable_ST:PublicReport:AuthJwt:ValidateIssuerSigningKey=true SeekTable_ST:PublicReport:AuthJwt:IssuerSigningKeyString=your_secret_signing_key_min_16_chars
If you want to use encrypted JWT also add:
SeekTable_ST:PublicReport:AuthJwt:TokenDecryptionKeyString=your_secret_decryption_key_min_16_chars
Then re-start your self-hosted SeekTable docker container (docker-compose restart).
Now you should see Security tab on "Configure Published Report" form:
Part 2: Generate JWT in your web application
The following code snippets illustrate how to generate JSON Web Token (.NET):
var handler = new JwtSecurityTokenHandler();
var signingCredentials = new SigningCredentials(
new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_signing_key_min_16_chars")),
SecurityAlgorithms.HmacSha256Signature);
var token = handler.CreateJwtSecurityToken(
subject: new ClaimsIdentity(new[] { new Claim("report_param_name", "report_param_val") }),
signingCredentials: signingCredentials,
audience: "",
issuer: "your_web_app_issuer_value",
expires: DateTime.UtcNow.AddMinutes(30));
var jwt = handler.WriteToken(token);
var handler = new JwtSecurityTokenHandler();
var signingCredentials = new SigningCredentials(
new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_signing_key_min_16_chars")),
SecurityAlgorithms.HmacSha256Signature);
var encryptCredentials = new EncryptingCredentials(
new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_decryption_key_min_16_chars")),
SecurityAlgorithms.Aes128KW,
SecurityAlgorithms.Aes128CbcHmacSha256);
var tokenDescriptor = new SecurityTokenDescriptor {
Audience = "",
Issuer = "your_web_app_issuer_value",
Subject = new ClaimsIdentity(new[] { new Claim("report_param_name", "report_param_val") }),
Expires = DateTime.UtcNow.AddMinutes(5),
EncryptingCredentials = encryptCredentials,
SigningCredentials = signingCredentials
};
var encryptedJwt = handler.CreateEncodedJwt(tokenDescriptor);
If you don't use C#/.NET please check your development platform about how to generate JSON Web Token. Notes:
- signing should use symmetric algorithm
- encryption should use symmetric algorithm
- key length should be at least 16 bytes
Part 3: Pass JWT to embedded SeekTable report
There are 2 ways how you can pass generated JWT to the report embedded with IFRAME:
- as an URL parameter (parameter name is configured by
SeekTable_ST:PublicReport:AuthJwtUrlParametersetting) - as a cookie (cookie name is configured by
SeekTable_ST:PublicReport:AuthJwtCookieName)
This approach is possible only if self-hosted SeekTable is accessed as a sub-domain of your main web application.
Important notes:
- JWT authorization is used only for published reports where Link access control is set to JSON Web Token.
- Owner of published report always can view it (when logged in), even without JWT or if JWT is invalid. It is recommended to test secure published reports in another browser session (incognito/private window).