Embed Apps + OAuth

When using an App Embedding, as per the the docs, using a resource which required OAuth doesn't work.

It fails in a similar way to how a public app link would, but this isn't a public app link, I've generated and authenticated embed URL using the API:

Here is the error: JsonWebTokenError: jwt malformed

Is this a permission issue with the user or something? How do I use an Authenticated resource in an embedded app?

Hi @LeoAdamek

Thanks for reaching out!

:thinking: Does the app typically have a popup encouraging the user to log in or do you have an auth login component?

What is the API that you're using?

I'll do some testing on my side as well

I'm also seeing this issue and we're using OAuth 2.0.

There isn't a popup, but the url changes and redirects back to the app after authentication. :thinking:

any update on this please, I am also blocked with this issue.
@Tess @retool-team

1 Like

Hi @Evan_Keith & @hamzarabah

Can you both share the scope you've set for your token?

Is this happening for a Cloud or self hosted account? I'm linking our documentation for custom domains and our docs for auth in embedded apps just in case

Just want to confirm that this is the behavior that you're seeing: the user is able to authenticate and access the embedded Retool app, but then they are not able to authenticate into a specific resource? If the user accesses the app directly in Retool, they're able to successfully authenticate to the resource? Is this happening for all users?

Authenticating in Retool should be entirely separate from Retool Embed. The Embed URL that is returned from a POST request to get an Embed URL shouldn’t require any authentication; it’s expected that authentication will be handled by the application where you are embedding Retool.

We have a similar scenario. We use OAuth to authenticate with a resource. When using the retool editor / app, the user is able to use our OAuth flow to authenticate to the OpenAPI resource that we have configured and everything works fine. When we use Retool embed with an embed url (that we obtained from making a call on our backend to /api/embed-url/external-user), we get the error Here is the error: JsonWebTokenError: jwt must be provided displayed in the embed frame. We are using the self hosted option. Note that if I open up our retool app and have already authenticated the resource and then refresh the page that has the embed url, it will work fine (because it is already authenticated), but the whole point of embed for us is to make sure that users don't have to login twice. So this at least means the url is valid ... it's just the authentication piece that's not working for embed. Also, I notice that when the retool app is open on its own, when authentication is attempted and viewing the network traffic to retool, a call is made to POST /api/obtainAuthorizationToken that completes with a 200. When the same app is running in embed, the retool call to POST /api/obtainAuthorizationToken fails out with a 401. This seems like maybe a bug within retool?

1 Like

Hi @Tess ,
The scope for the token was set according to the documentation ("App: Embed").
For me this is happening for a Cloud account.
Actually the issue we are facing is the same as @chris_enter describe it here

Thanks so much for these helpful details! Our embed team was able to narrow this issue down to a Retool bug :confused: I'll post back here if I get any updates on shipping a fix!

1 Like

We are also experiencing this issue, except we have no workaround. Even logging into Retool and authenticating prevents the embed from working correctly at all.

Thanks for letting us know, @victory :disappointed: I don't have an eta for a fix yet, but I will let the team know that another user is running into this!

I am also experiencing this issue out of the blue.
My business app is completely useless without this REST API resource.
I'd appreciate en eta as soon as you have one.
Many thanks.

@Tess Hello,
Do you have any updates on this? ETA is really appreciated.
Many thanks.

Hi @hamzarabah Not yet :disappointed: It's something we are targeting to fix before the end of the year, but I'm not able to provide a specific timeline or guarantee

Hi all,

Just wanted to clarify a few things here in case people are still trying to use Retool Embed or in case others come across this post :blush:

1) We have an internal request to correctly support using Retool Embed with apps that have resources with user based authentication (OAuth). Once this is supported, end users will be able to authenticate using your external auth system to access your Retool pages and then they can do additional OAuth for resources as needed.

2) You can currently authenticate a resource query in a Retool Embed app, such as a REST API query, by passing in an access token from your parent app authentication. You'll add the access token as custom metadata on the current_user & then, in each resource query's headers, you can pass the current_user's token dynamically. It's a bit tedious to set up the dynamic headers for each query, but hopefully, this approach will enable builders who need their queries to return different data based on the app user.

3) For enterprise users that are already using one of our custom sso methods, you may be able to solve your use case without needing to use Retool Embed (more info here) by embedding a direct link for a Retool application. As long as your parent page + the resource instance use the same SAML or OIDC SSO method, you can go ahead and embed your app without using Retool Embed (i.e. Embed your regular app link in an iframe without going through the process of generating a Retool Embed token + creating an embed URL) and still avoid the “double login.” If using an OIDC based Custom SSO method, you can configure Resources to use the access and id tokens from your IdP to authenticate requests (docs).

1 Like

Hi @Tess ,
Do you have an update on the first point that you have mentioned?

Hi there, unfortunately, it hasn't been picked up for a fix yet :disappointed: I'll post back here if I get any internal updates

Can you confirm if this is still unsupported? The documentation on docs.retool.com pitch embedded retool apps as the solution for using your application's authentication system with retool. If it is still unsupported, please remove that functionality from the documentation.

Hi @tvls Thanks for checking in. We still have a bug where resource Oauth isn't working on embedded apps.

In the meantime, you can still use Embed to use your application's authentication system to auth end users into your Retool org, but you'll be limited to apps with resources that don't require having the user go through an Oauth flow

Thank you for the update. That's very unfortunate as this is a key use-case for us and therefore a deal-breaker on a full-fledged deployment.

Any updates here? Our startup credits are expiring and because we've been unable to put users onto Retool embed, to have our users as ReTool viewers is cost-prohibitive.