User Authentication in Embed

When working with embedded Miro boards, it is important that users work with their own authentication. This ensures that access and content management remain consistent, and avoids creating permissions gaps.

Currently, there is no API for developers to authenticate users in Embed. Instead, Miro handles the authentication via 3rd-party cookies, and the embedded board reflects the access level of the Miro board. For example, if a user has view access to a Miro board, then they will have view access on that embedded board.

Prompting the user to authenticate

A user may be prompted to sign-in to Miro in the following cases:

In both cases, the Miro sign-in page is opened. The page can be opened in a new tab, in a new browser window, or in a pop-up. The Miro sign-in page cannot be opened in an iframe, as a security precaution.

After the user authentication via the Miro interface is completed, an authentication cookie will be added to the browser's local storage and the user will be redirected back to the previous window.

Using POST-message-based authentication

Sometimes users work in environments where 3rd-party cookies are blocked or are not shared with the targeted iframe, such as with incognito browsers, WebViews, or Electron apps.

In this case, the Miro authentication mechanism should automatically recognize the situation and use a POST message to share the authentication cookie directly with the iframe. For this to succeed, POST messages must be enabled within the application where the iframe sits (e.g. within your Electron App).

If you want to force POST-message-based authentication, please add the usePostAuth=true URL parameter to your embed URL.


Did this page help you?