Bug description

The bug is like we are emedding dashboard using sdk and generating guest token but after loading particular dashboard it is showing 403 forbidden

Screenshots/recordings

Image

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

Getting forbidden error while embedding dashboard using sdk. Can you provide any solution for the same

Checklist

  • [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

A 403 Forbidden error when embedding dashboards with guest tokens in Superset is usually caused by one of these issues:

  • The guest token is missing required claims, is expired, or is not scoped to the correct dashboard. Make sure the token includes the correct dashboard id or uuid in its resources and is signed with the right secret and audience settings. Any mismatch or missing claim will cause a 403 error (details).
  • The dashboardId is missing from the form_data sent to the backend (especially after recent frontend refactors). This is a known cause of 403 errors for embedded dashboards. Ensure that your embedding code includes the dashboardId in all chart data requests (see fix, another example).
  • The EMBEDDED_SUPERSET feature flag must be enabled, and the dashboard must be published and configured for embedding. The allowed_domains for the embedded dashboard must include the domain from which you are embedding, and the referrer must match (source).
  • CORS and X-Frame-Options headers must allow embedding from your domain. Check your superset_config.py for ENABLE_CORS, ALLOWED_DOMAINS, and OVERRIDE_HTTP_HEADERS settings (example config).
  • If you use GLOBAL_ASYNC_QUERIES, embedding and Superset must be on the same domain, or async features may fail and cause errors (see discussion).
  • Row-level security (RLS) rules can cause 403s if misconfigured or referencing missing columns (see example).

Troubleshooting checklist: 1. Double-check your guest token generation: correct dashboard id/uuid, correct secret, correct audience, not expired. 2. Make sure dashboardId is present in all form_data sent to the backend. 3. Confirm EMBEDDED_SUPERSET is enabled and the dashboard is published and configured for embedding. 4. Verify allowed_domains for the embedded dashboard includes your embedding domain, and the browser referrer matches. 5. Check CORS and X-Frame-Options settings. 6. If using async queries, ensure embedding and Superset are on the same domain. 7. Review any RLS rules for errors.

If you still see 403s, please share your guest token payload (with secrets redacted), your superset_config.py embedding-related settings, and the network request details for the failing API call. This will help pinpoint the issue.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Join Discord Share on X

Comment From: rusackas

I think the bot is correct. Moving this to Q&A since I believe this is a configuration issue rather than a Superset bug.