Articles in this section
Category / Section

How token expiration and rotation handled in Bold BI?

Published:

Bold BI implements various token management strategies for both server-level authentication and embedding scenarios. Understanding how these tokens expire and rotate is crucial for maintaining secure applications.

Server-Level Access Tokens

Bold BI supports multiple types of access tokens at the server level:

Generation Methods:

  • Through Bold BI server UI: Access tokens can be generated in the user profile section.
  • Via REST API: Tokens can also be generated programmatically.

Expiration Settings:

  • UI-generated tokens: These tokens provide flexibility to set custom expiration periods and can also be configured to never expire.
  • API-generated tokens: These tokens have a fixed expiration period of 7 days.

Rotation Strategy:

  • There is no automatic rotation mechanism in place.
  • Users can generate up to 2 API keys simultaneously.
  • When a token is nearing expiration, a new one must be generated manually.
  • Both old and new tokens will function until their respective expiration times.

Embedding Scenarios

Bold BI handles tokens differently for embedding, with variations between JavaScript and iframe embedding.

JavaScript Embedding Tokens

Token Types:

  • Authorize API Token: Generated when the BoldBI.create() method is called.
  • Direct Access Token: Can be provided directly via the token parameter.

Expiration Settings:

  • Authorize API tokens: Customizable using the expirationTime parameter (default: 1 day, maximum: 7 days).
  • Direct access tokens: The expiration depends on the token generation method (7-45 days).

Rotation Strategy:

  • There is no built-in automatic rotation.
  • It is recommended to implement token caching on the server to avoid unnecessary token generation.
  • Tokens should be cached until they expire, and new ones should be generated only when needed.

iFrame Embedding Tokens

Token Generation:

  • Tokens are created by encrypting embed parameters using the HMACSHA256 algorithm.

Expiration Settings:

  • By default: Tokens are valid for an indefinite period.
  • With embed_timestamp: Tokens are valid for 6 days from the timestamp.
  • With embed_expirationtime: Tokens can be limited further (from 86,400 seconds/1 day to 518,400 seconds/6 days).

Security Features:

  • embed_nonce: A random GUID that prevents URL reconstruction attacks.
  • Domain and IP restrictions can be applied for additional security.

Best Practices for Token Management

  • Implement Token Caching: Store tokens server-side until they expire using in-memory cache or other caching mechanisms. Parse expiration time from the token response.

  • Secure Your Tokens: For iframe embedding, use domain and IP restrictions. Set appropriate expiration times based on security requirements. Never expose tokens in client-side code except when necessary for embedding.

  • Handle Expiration Gracefully: Implement logic to detect expired tokens, generate new tokens when needed, and provide a seamless experience when token rotation occurs.

Additional References

Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
DE
Written by Dhanasekaran Ekambaram
Updated:
Comments (0)
Please  to leave a comment
Access denied
Access denied