4 Replies Latest reply on Mar 30, 2015 6:20 AM by Tamas Foldi

    X-Tableau-Auth in REST API

    Gopinath Srirangan

      Hi,

      Per online guid for REST API,

      Signing In

      The Tableau Server REST API requires an authentication token to be sent with each API call.

      The token should be sent with all requests as the header X-Tableau-Auth. For example:

       

      Content-Type: text/xml

      X-Tableau-Auth: d14a028c2a3a2bc9476102bb288234c4

       

      You can retrieve a token by completing a Sign In call and parsing the token out of the response

      payload. The token should be stored in your application logic and reused until the session ends.

      Sample code is provided in the file example.py. It demonstrates how to make a Sign In call and

      parse the returned token.

      A Sign Out call ends the session and invalidates the token.

       

      Question.

      Is there a way to get X-Tableau-Auth: other than Signing In ?

      I'm concerned of using admin password in config file.

       

      I tried sending trusted auth token but it doesn't work.

       

      Thanks

      Gopi

        • 1. Re: X-Tableau-Auth in REST API
          Russell Christopher

          No. There is no other way to get an authentication token other than authenticate

           

          Perhaps you could simply encrypt the admin password in your config file and decrypt same in your code before using it? There are any number of design patterns (that don't have much to do with Tableau) that deal with "keeping a password safe". You can read about them, pick your favorite, and apply the technique in question.

          • 2. Re: X-Tableau-Auth in REST API
            Tamas Foldi

            Correct me if I am wrong, but X-Tableau-Auth equals to workgroup_session_id - thus you can obtain it via trusted auth.

             

            I did not test it but seems logical for me

            • 3. Re: X-Tableau-Auth in REST API
              Russell Christopher

              Heya!

               

              Totally correct. Didn't mention that as I figured most won't want to go after the value inside the cookie...and the fact that knowing how to store / encrypt / protect sensitive information like a password should be part of every developer's toolbox - so it doesn't make a lot of sense (to me anyway) to do something "un-natural" just to avoid storing the password. Just my opinion, though.

              • 4. Re: X-Tableau-Auth in REST API
                Tamas Foldi

                Yes, you are right, but still, in some circumstances it is easier and more secure to use trusted authentication than a password based one. Even if you store the passwords in the config files you have to have the decrypt algorithm on the same box (to be able to use your tool), thus, if you have access to the crypted config, you will have be able to see the source of the program which decrypts it -> you have everything to crack it.

                 

                Also, not sending plain text passwords on the network (if ssl is not enabled on the server) is generally a good idea