When embedding as follows.
Widgets are not displayed in the iFrame, only website and segment selector.
This issue occurs when a non-authenticated user attempts to view the embed. If the user is logged in the view behaves as expected.
iframe embedded widgetized reports don't load when 2FA is activated for the user with this token_auth.
When a widgetize/report iframe embedding request is received by Matomo, and it has a valid
token_auth parameter, and Two factor auth is enabled for this user, then we expect reports to embed correctly (no 2fa token required).
module=Widgetizerequests should issue a friendly reminder "Embedding reports is not supported because Two-Factor auth is enabled. Please consider create a new user, give it only read only permissions to the website, disable two-factor auth for this user."
@mattab the embedded widgets should definitely work with token_auth. There's no reason it shouldn't work as the same data could be requested through the API with 2FA. And in Matomo 4 we will replace the token_auth with some app specific token or so which will then also have the same behaviour.
2fa user should be able to use Embedding report feature for sure.
There should be already some logic in there for this that any authentication through token_auth should be fine, also for widgets (I had tested this) but maybe there's some other problem with it.