Live Embed authentication
Board access rights
Embedding a Miro board via a direct link requires the same access rights as the board that you're embedding:
- If a user can access a Miro board by opening it in their web browser, they can also access the corresponding embedded version.
- If a user doesn't have the required permissions to access a board, they're also unable to view the corresponding embedded version.
- If a user's web browser is configured to block third-party cookies, they need to sign in each time they want to access the board.
Specific board access rights per user
To grant users additional permissions to access an embedded board, you can set BoardsPicker action
to access-link
.
This enables granting ad-hoc permissions to access a board that are enforced when the board is embedded.
For example, users who normally have read-only access to a board can be granted edit rights in the embedded version of the board.
For more information, see the documentation about the BoardsPicker component.
User access to embedded boards
When working with embedded Miro boards, it is important that users work with their authentication. This ensures that access and content management remain consistent, and it avoids creating permissions gaps.
Currently, there is no API for developers to authenticate users in a Live Embed board. Instead, Miro handles the authentication via third-party cookies, and the embedded board reflects the access level of the Miro board.
For example, if a user has read-only access to a Miro board, then they have read-only access also to the embedded board.
Prompt for user authentication
A user can be prompted to sign in to Miro in the following cases:
- Via a sign-in button on an embedded board.
- When opening the BoardsPicker component.
In both cases, the Miro sign-in page is opened. The page can be opened in a new tab, in a new browser window, or in a pop-up. The Miro sign-in page cannot be opened in an iframe, as a security precaution.
After the user authentication via the Miro interface is completed, the user is redirected back to the previous window.
POST
message authentication
POST
message authenticationThe Miro authentication mechanism uses a POST
message to share the authentication cookie directly with the iframe.
To succeed, POST
messages must be enabled in the application where the embedded board iframe exists (for example, in an Electron app).
To force POST
message authentication, add the usePostAuth=true
URL parameter to the board embed URL.