From 228b93f2ca96ba1dcd34cac606580dbc3e924076 Mon Sep 17 00:00:00 2001 From: Bryant Howell - ThoughtSpot <83678239+bryanthowell-ts@users.noreply.github.com> Date: Mon, 26 Jan 2026 10:31:12 -0600 Subject: [PATCH 1/3] Update trusted-auth-sdk.adoc Removed outdated "username" property and added "autoLogin: true" to the examples, since we recommend them at all times with Trusted Auth --- modules/ROOT/pages/trusted-auth-sdk.adoc | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/modules/ROOT/pages/trusted-auth-sdk.adoc b/modules/ROOT/pages/trusted-auth-sdk.adoc index eb3b02805..331dc851c 100644 --- a/modules/ROOT/pages/trusted-auth-sdk.adoc +++ b/modules/ROOT/pages/trusted-auth-sdk.adoc @@ -17,6 +17,8 @@ Cookie-based authentication, specified using `AuthType.TrustedAuthToken`, uses t For the request to be *secure*, the user in the browser cannot modify the request or make their own valid request to the *token request service* in a way that requests a token for any other user. +The `autoLogin: true` property in the `init()` function causes the Visual Embed SDK to request a new token before the token or the session expires, so that a user never sees the ThoughtSpot embed component in a signed-out state. + == Define token request service There are two options in the `init()` function to define the request to the *token request service*: `authEndpoint` or `getAuthToken`. @@ -40,8 +42,8 @@ The callback function must return a *Promise* that resolves with the *login toke ---- init({ thoughtSpotHost: "<%=tshost%>", - authType: AuthType.TrustedAuthToken, - username: "UserA", + authType: AuthType.TrustedAuthTokenCookieless, + autoLogin: true, getAuthToken: () => { // fetch() returns a Promise naturally. Assumes a JSON response from the token request service with a 'token' property return fetch('https://my-backend.app/ts-token') @@ -57,8 +59,7 @@ You can even use the callback function to reference a hard-coded login token, in ---- init({ thoughtSpotHost: "<%=tshost%>", - authType: AuthType.TrustedAuthToken, - username: "", + authType: AuthType.TrustedAuthTokenCookieless, getAuthToken: () => { let tsToken = '{long-lived-token}'; return Promise.resolve(tsToken); @@ -105,7 +106,8 @@ let tsToken; // global scope to store token for other REST API requests init({ thoughtSpotHost: tsURL, authType: AuthType.TrustedAuthTokenCookieless, - getAuthToken: getAuthToken + getAuthToken: getAuthToken, + autoLogin: true }); function async getAuthToken { @@ -146,8 +148,8 @@ function async getAuthToken { init({ thoughtSpotHost: "", authType: AuthType.TrustedAuthToken, - username: "", authEndpoint: "https://authenticator-server:/endpoint", + autoLogin: true }); ---- @@ -156,7 +158,7 @@ init({ init({ thoughtSpotHost: "", authType: AuthType.TrustedAuthToken, - username: "", + autoLogin: true, getAuthToken: () => { return fetch('https://my-backend.app/ts-token') .then((response) => response.json()) @@ -172,6 +174,7 @@ init({ thoughtSpotHost: "", authType: AuthType.TrustedAuthTokenCookieless, authEndpoint: "https://authenticator-server:/endpoint", + autoLogin: true }); ---- @@ -181,6 +184,7 @@ init({ init({ thoughtSpotHost: "", authType: AuthType.TrustedAuthTokenCookieless, + autoLogin: true, getAuthToken: () => { return fetch('https://my-backend.app/ts-token') .then((response) => response.json()) From f3925e499ddcf61192e34167f385ae491484abf2 Mon Sep 17 00:00:00 2001 From: ShashiSubramanya Date: Thu, 29 Jan 2026 20:05:44 +0530 Subject: [PATCH 2/3] typo fixes --- modules/ROOT/pages/trusted-auth-sdk.adoc | 70 ++++++++++++------------ 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/modules/ROOT/pages/trusted-auth-sdk.adoc b/modules/ROOT/pages/trusted-auth-sdk.adoc index 331dc851c..7c48ad2e0 100644 --- a/modules/ROOT/pages/trusted-auth-sdk.adoc +++ b/modules/ROOT/pages/trusted-auth-sdk.adoc @@ -13,11 +13,11 @@ When `init()` is called, the SDK checks if there is an existing ThoughtSpot sess Cookieless authentication, specified using `AuthType.TrustedAuthTokenCookieless`, uses the token as a bearer token for all subsequent requests to ThoughtSpot, without establishing a session in the browser. -Cookie-based authentication, specified using `AuthType.TrustedAuthToken`, uses the token to create a session in the browser immediately, and does not use the token afterward, instead relying on the established session with the ThoughtSpot instance. +Cookie-based authentication, specified using `AuthType.TrustedAuthToken`, uses the token to create a session in the browser immediately. It does not use the token afterward; instead, it relies on the established session with the ThoughtSpot instance. For the request to be *secure*, the user in the browser cannot modify the request or make their own valid request to the *token request service* in a way that requests a token for any other user. -The `autoLogin: true` property in the `init()` function causes the Visual Embed SDK to request a new token before the token or the session expires, so that a user never sees the ThoughtSpot embed component in a signed-out state. +The `autoLogin: true` property in the `init()` function causes the Visual Embed SDK to request a new token before the current token or the session expires, so that a user never sees the embedded ThoughtSpot component in a signed-out state. == Define token request service There are two options in the `init()` function to define the request to the *token request service*: `authEndpoint` or `getAuthToken`. @@ -53,7 +53,7 @@ init({ }); ---- -You can even use the callback function to reference a hard-coded login token, in a testing or other appropriate situation. Remember, it must return a Promise that resolves with the token: +You can even use the callback function to reference a hard-coded login token in a testing or other appropriate situation. Remember, it must return a Promise that resolves with the token: [source,JavaScript] ---- @@ -91,7 +91,7 @@ The Visual Embed SDK provides a link:https://developers.thoughtspot.com/docs/Fun Please see the documentation on xref:rest-apiv2-js.adoc[REST API V2.0 within a browser] for further explanation and example code. === Multiple user sessions in one browser -Cookieless authentication is also useful for scenarios where the embedding application allows for being logged into multiple user accounts in different tabs, or quick switches between users. Cookie-based authentication restricts the whole browser to a single logged-in user per ThoughtSpot instance, while cookie-less allows each tab to use a different token without conflicts. +Cookieless authentication is also useful for scenarios where the embedding application allows for being logged into multiple user accounts in different tabs, or quick switches between users. Cookie-based authentication restricts the whole browser to a single logged-in user per ThoughtSpot instance, while cookieless allows each tab to use a different token without conflicts. == Code examples The only difference between cookie-based trusted authentication and cookieless authentication in the `init()` function is the value used for the `authType` property. @@ -105,39 +105,39 @@ The following example shows a custom callback function with a custom request usi let tsToken; // global scope to store token for other REST API requests init({ thoughtSpotHost: tsURL, - authType: AuthType.TrustedAuthTokenCookieless, + authType: AuthType.TrustedAuthTokenCookieless, getAuthToken: getAuthToken, autoLogin: true - }); +}); function async getAuthToken { - const tokenURL = tokenServiceURL + "/gettoken/"; - console.log("calling token server at " + tokenURL); - - const timeoutSecs = 5 * 1000; // seconds to milliseconds - - const response = await timeout(timeoutSecs, fetch( - tokenURL, - { - method: 'POST', - mode: 'cors', - cache: 'no-cache', - headers: { - // This Token Request Service returns the token as a plain-text string - 'Content-Type': "text/plain", - // Custom header for passing a JWT with auth details from the web app to the token request service - // Instead the token request service may have access to a user session with the details - 'X-Auth-Token': authJWT - }, - credentials: 'include' - } - )) - - // Token request service returns plain-text string of the token - // set the global tsToken variable for using the token for separate REST API requests - tsToken = response.text(); - // Must return for the Promise to be completed - return response.text() + const tokenURL = tokenServiceURL + "/gettoken/"; + console.log("calling token server at " + tokenURL); + + const timeoutSecs = 5 * 1000; // seconds to milliseconds + + const response = await timeout( + timeoutSecs, + fetch(tokenURL, { + method: 'POST', + mode: 'cors', + cache: 'no-cache', + headers: { + // This Token Request Service returns the token as a plain-text string + 'Content-Type': "text/plain", + // Custom header for passing a JWT with auth details from the web app to the token request service + // Instead the token request service may have access to a user session with the details + 'X-Auth-Token': authJWT + }, + credentials: 'include' + }) + ) + + // Token request service returns plain-text string of the token + // set the global tsToken variable for using the token for separate REST API requests + tsToken = response.text(); + // Must return for the Promise to be completed + return response.text() } ---- @@ -163,7 +163,7 @@ init({ return fetch('https://my-backend.app/ts-token') .then((response) => response.json()) .then((data) => data.token); - }); +}); ---- === Cookieless authentication examples @@ -190,5 +190,5 @@ init({ .then((response) => response.json()) .then((data) => data.token); } - }); +}); ---- From d6fac03a00dc037727e5019708da697e8420175c Mon Sep 17 00:00:00 2001 From: ShashiSubramanya Date: Thu, 29 Jan 2026 20:32:44 +0530 Subject: [PATCH 3/3] edits --- modules/ROOT/pages/trusted-auth-sdk.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/trusted-auth-sdk.adoc b/modules/ROOT/pages/trusted-auth-sdk.adoc index 7c48ad2e0..56275764a 100644 --- a/modules/ROOT/pages/trusted-auth-sdk.adoc +++ b/modules/ROOT/pages/trusted-auth-sdk.adoc @@ -27,9 +27,9 @@ The `authEndpoint` parameter of the `init()` function specifies a URL for a dire Any authentication details must be included by the browser in this automated GET request, typically in the cookies. -It is *insecure* to allow specifying the username of the desired login token in the URL called by `authEndpoint`, because any user could request tokens for other users. Instead, the *token request service* itself must be able to determine which user is logged in from the backend. +It is *insecure* to allow specifying the username of the desired login token in the URL called by `authEndpoint`, because any user could request tokens for other users. Instead, the *token request service* must determine the logged-in user from the backend. -Cookies are not sent across domains (only to sub-domains), so your *token request service* must be *hosted in the same domain* as the embedding application. +Cookies are not sent across domains (only to subdomains), so your *token request service* must be *hosted in the same domain* as the embedding application. If you need more control beyond a GET request, use `getAuthToken` instead to define a customized request.