English

Deutsch

日本語

French

Free trialFree trialGet demoGet demo
ThoughtSpot Blog

Category:

Engineering
Latest articlesThe Data ChiefCustomer StoriesBest PracticesProductEngineeringCompany
engineering

Cookieless authentication in ThoughtSpot Everywhere

by Ivan Seow, Senior Director, Product Marketing at ThoughtSpot
and Girish Singh, Member of Technical Staff at ThoughtSpot

What is cookieless authentication?

Amidst growing concerns around user privacy and regulatory laws, the cookieless paradigm has been gaining momentum over time in digital advertising. In addition, web browsers are increasingly blocking third-party cookies altogether in web sessions, necessitating the need for new authentication methods in web applications.

Cookieless authentication is a secure way to verify user identities in web applications without relying on cookies. This method, also known as token-based authentication, generates encrypted tokens that are used to validate and maintain user sessions. These tokens are transmitted securely between the client and the server, ensuring the safety of user information.

Why this matters in embedded analytics

Many customers of ThoughtSpot Everywhere integrate the platform and its features into their own data products and applications. They often use Trusted Authentication to verify user identities as seen in the process below: 

However, in these scenarios, web browsers see the embedded analytics platform as a third-party application. This could result in restricted access to ThoughtSpot’s authentication cookies (for example in Safari), preventing logins and session management between the host application and ThoughtSpot Everywhere.

Using cookieless authentication in ThoughtSpot Everywhere

With the 9.3.0.cl release of ThoughtSpot Analytics Cloud, ThoughtSpot Everywhere customers can now use Cookieless Authentication in their authentication process, bypassing session cookies altogether. With this method, you can also use your own authenticator service which returns a bearer token, generated using the secret key obtained from ThoughtSpot. Bearer tokens are stored in the application memory and used for all API calls to ThoughtSpot Everywhere.

If you are already using Trusted Authentication in the Visual Embed SDK, all you need to do is change the authType attribute to TrustedAuthTokenCookieless in the initialization code and you’re all set. For example:

init({ 
    thoughtSpotHost: "https://<hostname>:<port>", 
    authType: AuthType.TrustedAuthTokenCookieless,  
    authEndpoint: "https://authenticator-server:<port>/endpoint",
});
init({
    thoughtSpotHost: <ThoughtSpot-Host-URL>
    authType: AuthType.TrustedAuthTokenCookieless,
    getAuthToken: () => {
        return fetch('https://my-backend.app/ts-token')
            .then((response) => response.json())
            .then((data) => data.token);
 });

In this walkthrough, Nicolas Rentz, Senior Director of Product Management, demonstrates how cookieless authentication works and the outcomes on different browsers:

Other benefits of cookieless authentication

Unlike other authentication methods that rely on cookies to store user session information, cookieless authentication ultimately eliminates the need for them when verifying user identities in web applications. Not only does this approach bypass third-party cookie browser restrictions but it offers other benefits including:

Enhanced security and privacy: With cookies, sensitive data such as session information and user identifiers are typically stored locally, making them potentially vulnerable to unauthorized access or theft. Since cookieless authentication works by leveraging tokens — only a secret key can be used to create authentication tokens and validate them when received on the server-side. This approach invariably improves user privacy by reducing the amount of personally identifiable information (PII) stored on the client-side

Greater compatibility across platforms and devices: As cookies are often tied to specific browsers or applications, they may not function properly or be accessible across all platforms. Cookieless authentication, on the other hand, relies on alternative mechanisms such as JSON Web Tokens (JWTs), OAuth, or bearer tokens, which are typically platform-independent, making them more seamless across environments and mobile devices.

Scalable and stateless: Cookieless authentication supports stateless communication between the client and server. Without the need to store session information on the server side, it becomes easier to scale and distribute authentication services across multiple servers or even cloud environments. This scalability allows for efficient handling of high user traffic loads and improves the overall performance and responsiveness of the authentication process.

Cookieless authentication + ThoughtSpot

With cookieless authentication now available in ThoughtSpot Analytics Cloud 9.3.0.cl, we hope that it offers more flexibility in your unique embedding and authentication scenarios. For more information, explore our open source Embed SDK and developer documentation on all supported authentication models available to you today.

If you are new to ThoughtSpot Everywhere, ThoughtSpot Everywhere empowers product builders to create engaging, interactive experiences that get to market much faster than a home-grown feature set. You can use our embedded analytics toolkit to embed AI-Powered Analytics in your data products to give your users a live, intuitive natural language search experience combined with AI and free-form data exploration. Plus, you get done-for-you analytics services, robust APIs, and interactive developer resources your team will love.

See for yourself—go ahead and explore ThoughtSpot Everywhere right now. Or, if you’re curious about implementing ThoughtSpot Everywhere in your data products, you can start a free trial today.