Bold BI embedding supports group-based authorization for OAuth 2.0 and OpenID providers. With this support, you can configure and import your OAuth or OpenID groups into the Bold BI server without importing the users of the group. However, every user from the group can access the Bold BI dashboard.
Before embedding, review these essential guides:
Let’s take a look at the configuration settings for Azure AD, OAuth 2.0 and OpenID import, importing the group, and granting access to that group.
To have Azure AD connect support, you would need to configure the Azure AD in Bold BI server. Please follow these steps provided in the link.
The following link explains how to connect with the Bold BI application.
To have support for OAuth 2.0 connect, you will need to configure OAuth 2.0 in the Bold BI server. Please follow the steps provided in the link.
The following is a list of a few OAuth 2.0 providers, and it explains how to connect with the Bold BI application.
For OpenID connect support, you would need to configure the OpenID in Bold BI server, follow these steps in the link.
The following is a list of a few OAuth 2.0 providers, and it explains how to connect with the Bold BI application.
After configuring your providers, you need to import your group into the Bold BI server. Follow these respective links to import the groups.
Then, you need to provide access to your imported group. Follow these steps in the link, which will help your users to access and embed the dashboard.
Now, you need to configure as shown below to use group-based authorization.
v13.1
Node
const express = require('express');
const crypto = require('crypto');
const https = require('https');
const http = require('http');
const app = express();
app.post('/tokenGeneration', function (req, res) {
// Required details
const serverUrl = "<Bold BI Server URL>";
const siteIdentifier = "<Site Identifier>";
const serverApiUrl = serverUrl + "/api/" + siteIdentifier;
const dashboardId = "<Dashboard Id>";
const embedSecret = "<Embed Secret Key>";
// Other required details
const useremail = "<User Email>"; // Email of the third party user (not in Bold BI)
const authProviderName = "<Auth Provider Name>";
const userId = "<User Id>";
// Build query string
let queryString = "embed_nonce=" + crypto.randomUUID();
queryString += "&embed_dashboard_id=" + dashboardId;
// Add group-based authorization details to the query string
queryString += "&embed_group_access=true"; // This property enables group-based authorization embedding.
queryString += "&embed_auth_provider=" + authProviderName; // Provide auth provider name
queryString += "&embed_user_id=" + userId; // User id of the user
queryString += "&embed_user_email=" + useremail;
// Sign query string
const embedSignature = "&embed_signature=" + getSignatureUrl(queryString, embedSecret);
const embedDetailsUrl = "/embed/authorize?" + queryString + embedSignature;
// Request token from Bold BI server
const serverProtocol = new URL(serverApiUrl).protocol === 'https:' ? https : http;
serverProtocol.get(serverApiUrl + embedDetailsUrl, function (resultContent) {
let str = '';
resultContent.on('data', chunk => { str += chunk; });
resultContent.on('end', function () {
const resultJson = JSON.parse(str);
if (resultJson?.ApiStatus && resultJson.Data?.access_token) {
res.json({ access_token: resultJson.Data.access_token });
} else {
res.status(500).json({ error: "Failed to generate embed token" });
}
});
});
});
// Helper function: Sign query string using embedSecret
function getSignatureUrl(queryString, embedSecret) {
const hmac = crypto.createHmac('sha256', Buffer.from(embedSecret));
return hmac.update(queryString).digest('base64');
}Example:
For GlobalOAuth:
&embed_group_access=true&embed_auth_provider=GlobalOAuth&embed_user_id=1212121212&[email protected]
For GlobalOpenID:
&embed_group_access=true&embed_auth_provider=GlobalOpenID&embed_user_id=auth0|5dbc1ac0835a7c0e18724875&[email protected]
For AzureAD:
&embed_group_access=true&embed_auth_provider=AzureAD&embed_user_id=cda791a1-3dec-4e52-a70c-38323aafe256&[email protected]
v14.1
Node
var http = require("http");
var https = require("https");
var express = require('express');
var cors = require('cors');
var app = express();
app.use(cors());
// Parse JSON bodies (as sent by API clients)
app.use(express.json());
app.post('/tokenGeneration', function (request, response) {
const embedDetails = {
serverurl: "<Bold BI Server URL>",
siteidentifier: "<Site Identifier>",
dashboard: {
id: "<Dashboard Id>"
},
embedsecret: "<Embed Secret Key>",
email: "<Third Party User Email>",
groupbasedauthorization: {
isenabled: true,
userid: "<User Id>",
authprovidername: "<Auth Provider Name>"
}
}
const parsedUrl = new URL(embedDetails.serverurl);
const postData = JSON.stringify(embedDetails);
const client = parsedUrl.protocol === 'https:' ? https : http;
const options = {
hostname: parsedUrl.hostname,
port: parsedUrl.port || (parsedUrl.protocol === 'https:' ? 443 : 80),
path: `${parsedUrl.pathname}/api/${embedDetails.siteidentifier}/embed/authorize`,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(postData)
}
};
const authRequest = client.request(options, authResponse => {
let result = '';
authResponse.setEncoding('utf8');
authResponse.on('data', chunk => result += chunk);
authResponse.on('end', () => {
const resultparse = JSON.parse(result);
response.send(resultparse?.Data?.access_token);
});
});
authRequest.on('error', (e) => {
console.error("Error fetching embed token:", e.message);
});
authRequest.write(postData);
authRequest.end();
});Example:
For AzureAD:
email: "[email protected]",
groupbasedauthorization: {
isenabled: true,
userid: "cda791a1-3dec-4e52-a70c-38323aafe256",
authprovidername: "AzureAD"
}| Parameter (v13.1) | Parameter (v14.1) | Description |
|---|---|---|
| embed_group_access | groupbasedauthorization: { isenabled: } | This parameter needs to set as true to enable the group-based authorization. |
| embed_auth_provider | groupbasedauthorization: { authprovidername: } | This parameter value indicates which auth provider you are using in embedding.
Following are the values for different auth providers: |
| AzureAD – Set this if you have configured AzureAD | ||
| TenantOAuth – Set this if you have configured OAuth at the tenant level TenantOpenID – Set this if you have configured OpenID at the tenant level |
||
| GlobalOAuth – Set this if you have configured OAuth at the global level GlobalOpenID – Set this if you have configured OpenID at the global level |
||
| WindowsAD – Set this if you have configured WindowsAD | ||
| None – Set this if you aren’t using any auth providers | ||
| embed_user_id | groupbasedauthorization: { userid: } | Need to set your user id, which used in your provider for this user |
| embed_user_email | Need to set your user mail, which used in your provider for this user |
NOTE: The previous UserID and UserEmail would act as the password for users of each provider in Bold BI.
| Amazon Cognito | Set the user email as embed_user_id and embed_user_email |
| Auth0 | - Set the user id as embed_user_id - Set the user email as embed_user_email |
| Okta | |
| OneLogin |
Enable this feature to dynamically import users from external identity provider groups when they access embedded dashboards. This ensures users inherit group permissions without being manually added to the Bold BI server.
For more details, refer to the Enabling user import with group-based authorization
The sample applications for ASP.NET Core, ASP.NET MVC, and Angular can be downloaded from the following links. Once downloaded, you can update your group access, authentication provider, user id, and user email in the authorization server code block.