Apache Superset Enable Superset embed Dashboard, but cannot get the embed Dashboard using guest_token

Bug description

Version: 5.0.0 Docker startup

1 Log in using /api/v1/security/login

curl --location 'http://10.23.22.245/api/v1/security/login' \

--header 'Content-Type: application/json' \ --data '{ "username": "test", "password": "ddddd", "provider": "db", "refresh": true }' { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6dHJ1ZSwiaWF0IjoxNzU1MjIzODU0LCJqdGkiOiIzODFkM2Y5NC03OTc2LTQwZGEtYjE2Yy1mNTRmNzRkYTE2NmIiLCJ0eXBlIjoiYWNjZXNzIiwic3ViIjoiMiIsIm5iZiI6MTc1NTIyMzg1NCwiY3NyZiI6IjFiMjNmMjkyLWE2OWEtNDNmNS1hMzg0LWY4NjcyMTYxMTc5YSIsImV4cCI6MTc1NTIyNDc1NH0.HY4RMs76eqI-krt1T03vUa5ZPwRSkd96KOUoJsj9-gw", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc1NTIyNDAwNCwianRpIjoiN2Q5MWU4ZmEtOGIyNS00ZjMzLWEwNmQtMTJmN2NjMWNmMGVhIiwidHlwZSI6InJlZnJlc2giLCJzdWIiOiIyIiwibmJmIjoxNzU1MjI0MDA0LCJjc3JmIjoiOWFlNDU0ZjktZTdmYy00MTZiLTliNGMtMTRiYzJmMzg1NWIxIiwiZXhwIjoxNzU3ODE2MDA0fQ.c_Lh9RjgiUyaCq-J3ulaeaLFVly5yjq7UzgayNAPYv8" } 2 Log in using the access_token generated in the previous step

curl --location 'http://10.23.22.245/api/v1/security/guest_token/' \

--header 'Content-Type: application/json' \ --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6dHJ1ZSwiaWF0IjoxNzU1MjIzODU0LCJqdGkiOiIzODFkM2Y5NC03OTc2LTQwZGEtYjE2Yy1mNTRmNzRkYTE2NmIiLCJ0eXBlIjoiYWNjZXNzIiwic3ViIjoiMiIsIm5iZiI6MTc1NTIyMzg1NCwiY3NyZiI6IjFiMjNmMjkyLWE2OWEtNDNmNS1hMzg0LWY4NjcyMTYxMTc5YSIsImV4cCI6MTc1NTIyNDc1NH0.HY4RMs76eqI-krt1T03vUa5ZPwRSkd96KOUoJsj9-gw' \ --data '{ "user": { "username": "test", "first_name": "test", "last_name": "test" }, "resources": [{ "type": "dashboard", "id": "2fedddd9-ddddd-496f-979d-08fc0d0ac5dc" }], "rls": [] }' { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoidGVzdCIsImZpcnN0X25hbWUiOiJ0ZXN0IiwibGFzdF9uYW1lIjoidGVzdCJ9LCJyZXNvdXJjZXMiOlt7InR5cGUiOiJkYXNoYm9hcmQiLCJpZCI6IjJmZTgyZGI5LTQ4YTgtNDk2Zi05NzlkLTA4ZmMwZDBhYzVkYyJ9XSwicmxzX3J1bGVzIjpbXSwiaWF0IjoxNzU1MjI0MTAwLjgxMTU4OCwiZXhwIjoxNzU1MjI3NzAwLjgxMTU4OCwiYXVkIjoiaHR0cDovLzAuMC4wLjA6ODA4MC8iLCJ0eXBlIjoiZ3Vlc3QifQ.wHpvEoDNysTNrxybeRqMtG_1hkpZTmkNf2waRlEMXJw" }

3 Use the token from the previous step to get the embed Dashboard information Both methods failed

The first method curl --location 'http://10.23.22.245/api/v1/dashboard/' \

--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoidGVzdCIsImZpcnN0X25hbWUiOiJ0ZXN0IiwibGFzdF9uYW1lIjoidGVzdCJ9LCJyZXNvdXJjZXMiOlt7InR5cGUiOiJkYXNoYm9hcmQiLCJpZCI6IjJmZTgyZGI5LTQ4YTgtNDk2Zi05NzlkLTA4ZmMwZDBhYzVkYyJ9XSwicmxzX3J1bGVzIjpbXSwiaWF0IjoxNzU1MjI0MDg3LjE0Nzk0NzgsImV4cCI6MTc1NTIyNzY4Ny4xNDc5NDc4LCJhdWQiOiJodHRwOi8vMC4wLjAuMDo4MDgwLyIsInR5cGUiOiJndWVzdCJ9.DccLZk0Axnu6gRcJWPDWjVCWnyj1izKOB395_Ir_TW4' { "msg": "Signature verification failed" } Second method curl --location 'http://10.23.22.245/api/v1/dashboard/2fe82db9-48a8-496f-979d-08fc0d0ac5dc/' \ --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoidGVzdCIsImZpcnN0X25hbWUiOiJ0ZXN0IiwibGFzdF9uYW1lIjoidGVzdCJ9LCJyZXNvdXJjZXMiOlt7InR5cGUiOiJkYXNoYm9hcmQiLCJpZCI6IjJmZTgyZGI5LTQ4YTgtNDk2Zi05NzlkLTA4ZmMwZDBhYzVkYyJ9XSwicmxzX3J1bGVzIjpbXSwiaWF0IjoxNzU1MjI0MDg3LjE0Nzk0NzgsImV4cCI6MTc1NTIyNzY4Ny4xNDc5NDc4LCJhdWQiOiJodHRwOi8vMC4wLjAuMDo4MDgwLyIsInR5cGUiOiJndWVzdCJ9.DccLZk0Axnu6gRcJWPDWjVCWnyj1izKOB395_Ir_TW4' \ --header 'Cookie: session=eyJsb2NhbGUiOiJ6aCJ9.aJ6Yuw.9cbARisMQDrU7b00iSTV03b2tZ4' {"errors": [{"message": "404 Not Found: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.", "error_type": "GENERIC_BACKEND_ERROR", "level": "error", "extra": {"issue_codes": [{"code": 1011, "message": "Issue 1011 - Superset encountered an unexpected error."}]}}]}

4 superset_config.py is configured as follows

import os MAPBOX_API_KEY = "thisISaSECRET_1234" CACHE_CONFIG = { "CACHE_TYPE": "RedisCache", "CACHE_DEFAULT_TIMEOUT": 300, "CACHE_KEY_PREFIX": "superset_", "CACHE_REDIS_HOST": "redis", "CACHE_REDIS_PORT": 6379, "CACHE_REDIS_DB": 1, "CACHE_REDIS_URL": "redis://redis:6379/1", } FILTER_STATE_CACHE_CONFIG = {CACHE_CONFIG, "CACHE_KEY_PREFIX": "superset_filter_"} EXPLORE_FORM_DATA_CACHE_CONFIG = {CACHE_CONFIG, "CACHE_KEY_PREFIX": "superset_explore_form_"} SQLALCHEMY_DATABASE_URI = "postgresql+psycopg2://superset:test@db:5432/test" SQLALCHEMY_TRACK_MODIFICATIONS = True

BABEL_DEFAULT_LOCALE = "zh" LANGUAGES = { "en": {"flag": "us", "name": "English"}, "zh": {"flag": "cn", "name": "Chinese"}, }

SECRET_KEY = "CRET_1234" FEATURE_FLAGS = { "ENABLE_TEMPLATE_PROCESSING": True, "EMBEDDED_SUPERSET": True, "EMBEDDABLE_CHARTS": True, "DASHBOARD_RBAC": False } GUEST_ROLE_NAME = "test_role" GUEST_TOKEN_JWT_SECRET = "SECRET_2343" GUEST_TOKEN_JWT_ALGO = "HS256" GUEST_TOKEN_HEADER_NAME = "X-GuestToken" GUEST_TOKEN_JWT_EXP_SECONDS = 3600

WTF_CSRF_ENABLED = False OVERRIDE_HTTP_HEADERS = {'X-Frame-Options': 'ALLOWALL'} TALISMAN_ENABLED = False ENABLE_CORS = True CORS_OPTIONS = { 'supports_credentials': True, 'allow_headers': [''], 'resources': [''], 'origins': ['*'] } FAB_ADD_SECURITY_API = True DEBUG = True

5 GUEST_ROLE_NAME = "test_role" is configured as follows × can read on Chart
× can write on Chart
× can read on Dataset
× can read on Dashboard
× can write on Dashboard
× can read on Database
× can this form get on ResetMyPasswordView
× can this form post on ResetMyPasswordView
× can userinfo on UserDBModelView
× resetmypassword on UserDBModelView
× can get on OpenApi
× can show on SwaggerView
× can get on MenuApi
× can list on AsyncEventsRestApi
× can read on AdvancedDataType
× can read on AvailableDomains
× can invalidate on CacheRestApi
× can export on Chart
× can write on DashboardFilterStateRestApi
× can read on DashboardFilterStateRestApi
× can read on DashboardPermalinkRestApi
× can write on DashboardPermalinkRestApi
× can cache dashboard screenshot on Dashboard
× can get embedded on Dashboard
× can export on Dashboard
× can delete embedded on Dashboard
× can read on EmbeddedDashboard
× can read on Explore
× can write on ExploreFormDataRestApi
× can read on ExploreFormDataRestApi
× can read on ExplorePermalinkRestApi
× can write on ExplorePermalinkRestApi
× can read on Tag
× can write on Tag
× can bulk create on Tag
× can format sql on SQLLab
× can estimate query cost on SQLLab
× can list on DynamicPlugin
× can show on DynamicPlugin
× can query on Api
× can time range on Api
× can query form data on Api
× can get on Datasource
× can external metadata by name on Datasource
× can external metadata on Datasource
× can list on SavedQuery
× can dashboard on Superset
× can log on Superset
× can explore json on Superset
× can explore on Superset
× can slice on Superset
× can fetch datasource metadata on Superset
× can dashboard permalink on Superset
× can list on Tag
× can tags on TagView
× can recent activity on Log
× can read on SecurityRestApi
× can grant guest token on SecurityRestApi
× can read on RowLevelSecurity
× menu access on Home
× menu access on Data
× menu access on Databases
× menu access on Dashboards
× menu access on Charts
× menu access on Datasets
× menu access on Plugins
× menu access on Tags
× can csv on Superset
× can share dashboard on Superset
× can share chart on Superset
× can view query on Dashboard
× can view chart as table on Dashboard
× can drill on Dashboard
× can tag on Chart
× can tag on Dashboard
Help me find out what the problem is

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [ ] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [ ] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

The issue is that guest_token authentication for embedded dashboards only works with the /embedded/<dashboard_uuid> endpoint, not with /api/v1/dashboard/ or /api/v1/dashboard/<id>/ endpoints. You need to:

1. Make sure your dashboard is published and has an embedded configuration (check in Superset UI or via /api/v1/dashboard/<id>/embedded).
2. Use the dashboard's UUID (not integer ID) in both the guest_token's resources and the /embedded/<dashboard_uuid> endpoint.
3. When accessing the embedded dashboard, send the guest_token in the X-GuestToken header (not Authorization: Bearer) to /embedded/<dashboard_uuid> reference.
4. Ensure the guest_token's aud claim matches your Superset config (or the default audience), and the secret/algorithm are correct reference.

If you use the wrong endpoint or header, you'll get signature errors or 404s. The permissions for your guest role look correct. If you still have issues, double-check the dashboard's published status and embedded config, and review Superset logs for more details.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}