GitHub user dosubot[bot] added a comment to the discussion: Embed not working after version upgrade from 5.0 to 6.0
<!-- Greeting --> Hi @sekarabishek! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> This is a known issue after upgrading to Superset 6.0, and several configuration changes or stricter checks may be causing the 403 Forbidden error with guest tokens. Here’s a focused troubleshooting checklist: - Make sure the EMBEDDED_SUPERSET feature flag is enabled and your dashboard is published and configured for embedding. - Double-check your guest token: it must include the correct dashboard id/uuid in the resources claim, be signed with the correct secret and audience, and not be expired. The token must also include required claims like user, resources, rls_rules (even if empty), and type: guest. The dashboardId must be present in all chart data requests [ref](https://github.com/apache/superset/issues/33902) [ref](https://github.com/apache/superset/issues/36377). - Your embedding domain must be listed in allowed_domains and Content Security Policy (frame-ancestors), and CORS must be enabled with proper settings in superset_config.py. - The guest role (set by GUEST_ROLE_NAME) must have the "can log on Superset" permission. Without this, requests to /superset/log will be redirected to /login, causing 403 errors if /login is restricted [ref](https://github.com/apache/superset/issues/36186). - If you use Row-Level Security (RLS) rules, make sure they reference only columns that exist in your dataset. Invalid RLS rules can cause 403 errors [ref](https://github.com/apache/superset/issues/32869). - Superset 6.0 introduced fixes and changes to how guest tokens and embedding are handled, including stricter feature flag checks and guest token header handling. If you see errors about feature flags in the browser console, make sure your deployment includes the latest frontend and backend code and that feature flags are initialized properly [ref](https://github.com/apache/superset/pull/37367). If you follow these steps and still see 403 errors, check the browser console and Superset logs for more specific error messages—they often point to the exact misconfiguration. For more details and examples, see the related discussions and issues: - [Discussion on 403 errors after upgrade](https://github.com/apache/superset/discussions/33912) - [Common guest token embedding errors](https://github.com/apache/superset/issues/36377) - [Role permission fix for embedded SDK](https://github.com/apache/superset/issues/36186) <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/22cc4bcc-57c1-4267-b07e-2a398533c262?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/22cc4bcc-57c1-4267-b07e-2a398533c262?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/22cc4bcc-57c1-4267-b07e-2a398533c262?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/22cc4bcc-57c1-4267-b07e-2a398533c262?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/22cc4bcc-57c1-4267-b07e-2a398533c262?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/22cc4bcc-57c1-4267-b07e-2a398533c262?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/22cc4bcc-57c1-4267-b07e-2a398533c262?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=This%20is%20a%20known%20issue%20after%20upgrading%20to%20Superset%206.0%2C%20and%20several%20configuration%20changes%20or%20stricter%20checks%20may%20be%20causing%20the%20403%20Forbidden%20error%20with%20guest%20tokens.%0A%0AHere%E2%80%99s%20a%20focused%20troubleshooting%20checklist%3A%0A%0A-%20Make%20sure%20the%20EMBEDDED_SUPERSET%20feature%20flag%20is%20enabled%20and%20your%20dashboard%20is%20published%20and%20configured%20for%20embedding.%0A-%20Double-check%20your%20guest%20token%3A%20it%20must%20include%20the%20correct%20dashboard%20id/uuid%20in%20the%20resources%20claim%2C%20be%20signed%20with%20the%20correct%20secret%20and%20audience%2C%20and%20not%20be%20expired.%20The%20token%20must%20also%20include%20required%20claims%20like%20user%2C%20resou rces%2C%20rls_rules%20%28even%20if%20empty%29%2C%20and%20type%3A%20guest.%20The%20dashboardId%20must%20be%20present%20in%20all%20chart%20data%20requests%C2%A0%5Bref%5D%28https%3A//github.com/apache/superset/issues/33902%29%C2%A0%5Bref%5D%28https%3A//github.com/apache/superset/issues/36377%29.%0A-%20Your%20embedding%20domain%20must%20be%20listed%20in%20allowed_domains%20and%20Content%20Security%20Policy%20%28frame-ancestors%29%2C%20and%20CORS%20must%20be%20enabled%20with%20proper%20settings%20in%20superset_config.py.%0A-%20The%20guest%20role%20%28set%20by%20GUEST_ROLE_NAME%29%20must%20have%20the%20%22can%20log%20on%20Superset%22%20permission.%20Without%20this%2C%20requests%20to%20/superset/log%20will%20be%20redirected%20to%20/login%2C%20causing%20403%20errors%20if%20/login%20is%20restricted%C2%A0%5Bref%5D%28https%3A//github.com/apache/superset/issues/36186%29.%0A-%20If%20you%20use%20Row-Level%20Security%20%28RLS%29%20rules%2C%20make%20sure%20they%20reference%20only%20columns%20that%2 0exist%20in%20your%20dataset.%20Invalid%20RLS%20rules%20can%20cause%20403%20errors%C2%A0%5Bref%5D%28https%3A//github.com/apache/superset/issues/32869%29.%0A-%20Superset%206.0%20introduced%20fixes%20and%20changes%20to%20how%20guest%20tokens%20and%20embedding%20are%20handled%2C%20including%20stricter%20feature%20flag%20checks%20and%20guest%20token%20header%20handling.%20If%20you%20see%20errors%20about%20feature%20flags%20in%20the%20browser%20console%2C%20make%20sure%20your%20deployment%20includes%20the%20latest%20frontend%20and%20backend%20code%20and%20that%20feature%20flags%20are%20initialized%20properly%C2%A0%5Bref%5D%28https%3A//github.com/apache/superset/pull/37367%29.%0A%0AIf%20you%20follow%20these%20steps%20and%20still%20see%20403%20errors%2C%20check%20the%20browser%20console%20and%20Superset%20logs%20for%20more%20specific%20error%20messages%E2%80%94they%20often%20point%20to%20the%20exact%20misconfiguration.%20For%20more%20details%20and%20examples%2C%20see%20the%20related%20disc ussions%20and%20issues%3A%20%20%0A-%20%5BDiscussion%20on%20403%20errors%20after%20upgrade%5D%28https%3A//github.com/apache/superset/discussions/33912%29%20%20%0A-%20%5BCommon%20guest%20token%20embedding%20errors%5D%28https%3A//github.com/apache/superset/issues/36377%29%20%20%0A-%20%5BRole%20permission%20fix%20for%20embedded%20SDK%5D%28https%3A//github.com/apache/superset/issues/36186%29) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/37781) GitHub link: https://github.com/apache/superset/discussions/37781#discussioncomment-15727259 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
