Secure data access in data-driven widgets
Introduction
Secure data access is a critical aspect of modern data-driven widgets, ensuring that sensitive information is protected while enabling seamless data integration and visualization.
Up to firmware version 4.8.7, SpinetiX's data-driven widgets rely on the Cockpit Channels service for secure data access. Starting with firmware version 4.9.0, SpinetiX introduces a new cloud service called “Connectors”, part of the SpinetiX Hub platform and fully integrated with Elementi.
Comparison and transition
Both services provide a robust authorization mechanism to protect data integrity and prevent unauthorized access, allowing users to connect their widgets to various data sources and ensuring that data is securely transmitted and displayed.
So why two different services for the same purpose?
The new “Connectors” service is providing users with more options for data integration and visualization, such as the Power BI connector, plus the facility to share their connections with fellow members of their SpinetiX cloud account. To use the new service, simply link your Elementi project and your players to the same SpinetiX cloud account. Note that players must run at least DSOS 4.8.4, preferably the latest DSOS version.
The legacy Cockpit Channels service remains available for use in existing projects and legacy setups, but users are encouraged to update their players firmware and their Elementi software to take full advantage of the new system offering enhanced functionality, improved security, and a broader range of data integration options.
Authorization mechanism
SpinetiX uses OAuth 2.0 industry-standard protocol for authorization, providing secure access to resources without exposing user credentials. OAuth2 works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access that user account. It's important to note that user credentials are never stored on SpinetiX servers. Instead, OAuth 2 tokens are used to authenticate and authorize access, ensuring that your credentials remain secure and private.
Key components
- Resource Owner: The end-user who authorizes an application to access their account.
- Resource Server: The server (e.g., Microsoft, Google, etc.) hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
- Authorization Server: The server (e.g., Microsoft, Google, etc.) issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
- Client: SpinetiX Connectors or Cockpit Channels service requesting access to the user's account with its authorization, and data-driven widgets requesting data from the Resource Server.
OAuth2 flow
- The Resource Owners must first grant permission to the SpinetiX app to connect to a third-party provider (e.g., Microsoft, Google) on their behalf.
- Once done, the Authorization Server issues an authorization code and an OAuth2 refresh token as part of the standard OAuth 2.0 authorization flow. These credentials are securely stored in the SpinetiX Cloud and are never shared with players, Elementi, or Resource Servers. They are used exclusively to obtain short-lived access tokens from the Authorization Server.
- When a data-driven widget needs to display protected resources from a Resource Server (e.g., Microsoft, Google), the player/Elementi requests an access token from the SpinetiX Connectors or Cockpit Channels service.
- The cloud service verifies whether the client is authorized to access the requested resource (e.g., the player is linked to a SpinetiX cloud account with a valid authorization for the corresponding connector). If authorized, it returns a valid access token – either retrieved from its cache or freshly obtained from the Authorization Server.
- The player or Elementi then uses this access token to make a protected resource request to the Resource Server and retrieve the required data.
Connectors
Supported connectors
The following connectors are supported:
- Office 365 Connector
- Flickr Connector
- Google Connector
- PowerBI Connector
- Viva Engage Connector
Link third-party account and authorize SpinetiX app
To create a new connection to a third-party data provider account, follow these steps:
- Open Elementi, click the Menu icon on the toolbar, and select “Settings” ▶ “Manage connectors...” option.
Menu ‣ Settings - If prompted, sign in with your SpinetiX Cloud user, SSO, Google, or Facebook.
Log into cloud dialog - In the “Select account” dialog, listing all the cloud accounts your user is part of, select the one in which the new connection should be created. Click 🆗.
Select cloud account - In the “Manage connectors” dialog, click the “Add...” button.
Manage connectors dialog (empty) - Acknowledge the
Warning: “By adding a connector, you allow access to all users of your cloud account to the contents of that connector”. - Choose the connector you want to link from the list of available connectors. Click 🆗.
Select connector dialog - Follow the on-screen instructions to authorize the SpinetiX app to access your data.
Connect Office 365 account - After authorization, the connector will be linked to your cloud account, and you can use it with your data-driven widgets.
Manage connectors dialog with Office 365
.png)
.png)
Reauthorize connection
In most cases, the reauthorization is transparently handled by SpinetiX cloud, but there might be cases when your intervention is necessary. To manually reauthorize an existing connection, follow the same steps as above, but select a service from the list and click the “Renew...” button.
Remove connection
At any time, you can disconnect any third-party data provider account and thus prevent access to your data from all players registered to your account. To remove an existing connection, select a service from the list shown in the “Manage connectors” dialog, and click the “Delete...” button.
Cockpit Channels
The following third-party data providers are supported by Cockpit:
- Flickr
- Microsoft
- Yammer