Area: UI Issues
Sub-Area: Chrome Extension / Looker Integration Authentication
Issue
When using the DataHub Chrome extension embedded within Looker, users may encounter an unexpected authentication behavior: after clicking "Sign In" inside the DataHub sidebar, they are redirected to the full DataHub data catalog in a new page rather than remaining in Looker with the sidebar refreshed to show the asset summary inline. The intended behavior is for authentication to complete within a popup window, the popup to close automatically, and the user to stay in the Looker interface with the embedded DataHub sidebar updating to reflect their logged-in state. This redirect behavior is most commonly caused by Chrome's third-party cookie blocking setting, which prevents the Chrome extension — running in the context of Looker's domain — from reading DataHub session cookies needed to confirm that the user is authenticated.
Error Messages
Popup was blocked. Please allow popups for this site.
You Might Be Asking
- Why does clicking "Sign In" in the DataHub Looker sidebar open the full DataHub catalog instead of staying in Looker?
- Why does the DataHub Chrome extension not recognize that I am already logged in when I use it inside Looker?
- Does the DataHub Looker Chrome extension require third-party cookies to be enabled?
- How do I allow third-party cookies for Looker so the DataHub Chrome extension works correctly?
Solution
The DataHub Chrome extension embedded in Looker uses cookie polling to detect when a user has successfully authenticated. Because the extension runs on Looker's domain but needs to read cookies set by DataHub's domain, the browser treats these as third-party cookies. If Chrome is configured to block third-party cookies, the extension cannot detect the authenticated session and may fall back to redirecting the parent window to the DataHub catalog instead of refreshing the sidebar inline.
Choose one of the following remediation options:
-
Option A: Add a third-party cookie exception for Looker in Chrome
This is the recommended approach, as it scopes the exception to Looker only rather than enabling third-party cookies globally.
- Open Chrome and navigate to Settings → Privacy and security → Third-party cookies.
- Under the section "Sites allowed to use third-party cookies", click Add.
- Enter the following pattern to allow all Looker subdomains:
[*.]looker.com - Click Add to save the exception.
- Reload the Looker page and attempt to sign in via the DataHub sidebar again.
-
Option B: Temporarily enable third-party cookies globally (not recommended for production)
For testing or verification purposes only, you can disable the "Block third-party cookies" setting globally in Chrome:
- Open Chrome and navigate to Settings → Privacy and security → Third-party cookies.
- Select "Allow third-party cookies".
- Reload the Looker page and test the DataHub sign-in flow.
- Re-enable blocking after confirming this resolves the issue, then use Option A to add a scoped exception.
-
Verify the fix
After applying either option above, confirm the correct behavior:
- Clicking "Sign In" in the DataHub sidebar opens a small popup window for SSO authentication.
- After completing authentication, the popup closes automatically.
- The user remains in Looker, and the DataHub sidebar refreshes to display the asset summary inline.
- The user is not redirected away from Looker to the full DataHub catalog.
-
If popups are blocked by the browser or Looker's Content Security Policy (CSP)
If the user sees a "Popup was blocked" message, or no popup appears at all and the redirect still occurs, the browser or Looker's CSP may be blocking
window.open()calls from the extension's iframe context. In this case:- Ensure Chrome's popup blocker is not active for the Looker domain. Navigate to Settings → Privacy and security → Site Settings → Pop-ups and redirects and add your Looker instance URL to the allowed list:
https://<your-looker-instance>.looker.com - Test in an incognito window with no other browser extensions active to rule out extension conflicts.
- Contact DataHub Support if the issue persists after both cookie and popup exceptions are configured, as a CSP-level configuration review may be required.
- Ensure Chrome's popup blocker is not active for the Looker domain. Navigate to Settings → Privacy and security → Site Settings → Pop-ups and redirects and add your Looker instance URL to the allowed list:
Additional Notes
The DataHub Chrome extension uses an embedded iframe served at /embed/* routes within Looker. The authentication flow relies on a popup-based SSO mechanism (introduced to specifically prevent iframe navigation away from Looker) and cookie polling to detect session state. Both mechanisms require that third-party cookies are readable by the extension when running on Looker's domain. This behavior is not specific to any particular SSO provider — it applies to any identity provider used with DataHub's SSO/OAuth flow. Ensure that the Chrome extension is kept up to date, as authentication flow improvements are released regularly. If your organization enforces Chrome managed policies that block third-party cookies at a fleet level, work with your IT or browser management team to add a policy-level exception for [*.]looker.com.
Related Documentation
Tags: chrome-extension, looker-integration, third-party-cookies, sso, oauth, authentication, embed, sidebar, popup-blocked, cookie-policy