6

I'm building a web application that embeds a data studio report. The challenge I'm running into is that I would like to allow access to the report only from inside the web application. For this, what I have in mind is not to share the report and view the embedded report using an access token.

The documentation here explains that when calling google apis, you can attach the access token as a query parameter. This type of solution has worked with files from google drive; however, there is no official api to get a data studio report so I thought that maybe by calling the embedded link or the preview link and attaching the access token as a query param would do the trick, but it doesn't.

For example, let's say that the embedded url is:
https://datastudio.google.com/embed/reporting/0BxscwH5YAPRRMVRWYTZVOMMptbVk/page/m2YH

If I attempt to reach that url in the browser while logged in to google with the user who is authorized to view the report, I get the data.

If I try to reach that url in the browser while logged in to google with a user who DOES NOT has access to view the report, I get a message saying that is not authorized... which is expected.

Now, I followed the steps right here and I was able to get an access token. I tried calling the url: https://datastudio.google.com/embed/reporting/0BxscwH5YAPRRMVRWYTZVOMMptbVk/page/m2YH?access_token=y29.jADSFhkjce0asdfaMDFaso but it doesn't work.

There is no documentation explicitly saying this should work. I'm just trying to overcome this challenge I'm facing. Does anyone knows if there is a way to accomplish this?

P.S. I also tried with a an access token that includes the drive api scope to no avail.

Morfinismo
  • 4,985
  • 4
  • 19
  • 36
  • Sorry for making this kind of comment (I am really hating myself for this), but why are you doing this? Why don't you just share the report for anyone with the link and embed it in your app? (without the link, nobody will access it) I don't think your 'hardcoded authentication mechanism' will be more or less secure than the random number that Google already gives for each report (=0BxscwH5YAPRRMVRWYTZVOMMptbVk). If it is for the challenge, go for it. But if it is not the case, I would suggest easier (and supported) alternatives. – Diego Queiroz Jan 28 '21 at 17:56
  • @DiegoQueiroz thanks for your suggestion. The problem is that it contains sensitive information. Some people inside the company has access the the url and they could share the url with other people. The goal is that if they share it, the other person won't be able to see it, hence the token strategy. – Morfinismo Jan 28 '21 at 23:45
  • But can't you just hide the URL from end users? What I do often when I need different permissions for a dashboard is to duplicate it. This way, the copy with restrict permissions you can share with your users. And the version with open permissions (but still requires the link), you can embed in your app and keep the URL hidden. The problem with your token strategy is that Google Authentication is supposed to be interactive. – Diego Queiroz Jan 29 '21 at 14:04
  • @DiegoQueiroz Creating a duplicate dashboard means double work, which is counter productive due to the fact the the dashboard is being updated frequently. The google authentication is not supposed to be interactive, in fact, there is a specific flow for that and is called the server to server authorization, widely helpful in Google Workspace accounts. For now, we are looking into a solution outside of Data Studio. Thanks for your advice, very kind! – Morfinismo Jan 29 '21 at 14:21
  • I would call one of the reports the main report and change only it. Every time it is changed, I'd duplicate it and delete the previous one. Obviously, it is not an elegant solution, but it does the job. – Diego Queiroz Jan 29 '21 at 14:45
  • any update on this one ? – Mihir Mehta Apr 26 '21 at 10:13

2 Answers2

0

I don't think this is possible. Data Studio authentication is handled by a different mechanism than the API.

Notice that you don't even need to enable Data Studio API to embed a report. This is because they're different things. It is similar of using an Gmail API token to access your Gmail account: it is not supposed to work.

When you get an access token, you acquire it for a specific need (which is the Data Studio API scope). The Data Studio API is very simple and only allows you to search Reports/DataSources and manage permissions (it is a kind of extension to the Google Drive API). Currently, it doesn't allow you to interact with reports.

Diego Queiroz
  • 3,198
  • 1
  • 24
  • 36
0

The only solutions so far is to implement Row Level Filtering. Basically, this solution consists of implementing your own authentication mechanism and your own data display based on the token. Implementing a tutorial step by step is very time consuming but the documentation contains all the details at a high level. That should be enough to get you started.

Morfinismo
  • 4,985
  • 4
  • 19
  • 36
  • Were you able to implement this token? I have the same requirement. If my understanding is correct, the token passed with the embed url will be decrypted to know which user is trying to access it? I have already an authentication mechanism. But I am not sure what the token in the embed URL should contain. Thanks! – pau_learnstocode Jun 10 '21 at 07:18