Document how a web app would use JWT with Tableau

[lwrubel]

If we set up a Rails app which would handle authentication and authorization for passing to Tableau via JWT?

1. How would we mint the JWT and pass to Tableau?
2. What authorization would need to be set up for the public / Stanford / "business case" groups?

[edsu]

I watched this 15 min video which helped me understand better how JWT works generally. There is also good Tableau documentation for the Connected Apps which describes how JWT is used for embedding Tableau visualizations.

The basic idea is that servers use a shared secret to sign and verify user metadata that is stored Base64 encoded in the browser as a JSON Web Token (JWT) either as a cookie or in LocalStorage or even just in the HTML of a page. The token is then sent as an Authorization HTTP header when the browser issues requests to embed the resources requiring authorization.

This means that different servers (e.g. tableau.stanford.edu and rialto.stanford.edu) do not need to share a global session store in order to authorize a user's access to a resource. They simply use the shared secret key to verify the signature on the JWT token to know whether the user is authorized or not. You can place arbitrary metadata in the payload of the token, but it is simply Base64 encoded so it IS NOT designed for storing information that is meant to be kept secret.

It's my understanding that once UIT creates the Tableau Connected App they will send us the configuration information we need in order to mint JWT for Tableau. Since this configuration includes a secret shared with tableau.stanford.edu this minting operation will need to happen server side in our web application. You can see a Python example of what this minting process looks like here: https://github.com/tableau/connected-apps-jwt-samples/blob/main/python/get_jwt.py There should be a Ruby equivalent we can extrapolate from that if needed.

The Tableau token can include a list of "dynamic" groups, which Tableau will use to control what authorized users can see. I think we will want to define three Tableau groups "public", "stanford" and "rialto" which correspond to the different levels of access we would like to have. We will also want to define a "rialto" Shibboleth group that includes users that we have designated as "business case" access. If tableau.stanford.edu allows us to flag visualizations as completely open maybe we don't need the "public" category at all.

I think the simplest way to start would be, when responding to a request for a page with a tableau visualization:

1. Determine what type of user is making the request by looking in the HTTP headers.
   1. If X-Remote-User is missing they are in group public
   2. If X-Remote-User is present they are in groups public and stanford
   3. If X-Remote-User is set and X-Groups includes rialto they are in groups public, stanford and rialto.
2. Create a Tableau JWT using the appropriate groups.
3. Include the JWT in the rendered HTML with the Tableau Web Component.

<tableau-viz id="tableauViz"       
  src='https://my-server/views/my-workbook/my-view'
  token="JWT_TOKEN_HERE">
</tableau-viz>

Alternatively we can use the Tableau JavaScript API to embed the visualization by fishing the JWT token out of a Cookie or LocalStorage. But then I think we will need to add server side logic that sets these and also checks for when the JWT is expired, and needs to be regenerated. The longest Tableau Server allows the JWTs to live is 10 minutes.