Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
emotix
Frequent Visitor

PowerBIClient Forbidden issue

‎09-05-2017 12:15 PM

Hi all,

 

We're investigating the user of Power BI embedded for our SaaS app. In our scenario, we own the data and our end users would be utilizing the reports as non-power-bi users.

 

I've been struggling for a few days now to craft a working sample. Some samples I've found are no longer working or are for the old power bi azure implementation that's led to dead ends; however, I've gotten to the point where I'm very close to simply embedding a report in our Power BI setup.

 

Below is a simple console app I've come up with, many parts are from various documentation articles. The token is obtained fine, but when the request is submitted, I recieve HttpOperationException: Operation returned an invalid status code 'Forbidden'

 

private static string clientId = "----";
private static string secretKey = "----";
private static string groupId = "----";

        static void Main(string[] args)
        {
            string resourceUri = "https://analysis.windows.net/powerbi/api";

            string authorityUri = "https://login.windows.net/common/oauth2/authorize";

            ClientCredential credential = new ClientCredential(clientId, secretKey);
            AuthenticationContext authContext = new AuthenticationContext(authorityUri);

            string token = authContext.AcquireTokenAsync(resourceUri, credential).Result.AccessToken;

            var tokenCredentials = new TokenCredentials(token, "Bearer");

            using (var client = new PowerBIClient(new Uri("https://api.powerbi.com/"), tokenCredentials))
            {
                var reports = client.Reports.GetReportsInGroupWithHttpMessagesAsync(groupId);

                var faulted = reports.IsFaulted;

                // Here's where the exception is thrown
                var report = reports.Result.Body.Value;
            }
        }

 

Any ideas why? 

 

Here's what we've validated/tried:

 

  • The AD User we've created the app under is not the global admin as recommended.
  • The user is a power bi pro user (trial).
  • The required permissions (Windows Azure Active Directory/Power BI Service) have been granted (we've checked off all to ensure we're not missing anything).
  • We've validated/confirmed the client ID, secret key and group id many times.
  • The Power BI workspace is private, but we've tried making a public one to be sure it doesn't matter.

Thank you in advance!

 

Message 1 of 14
10,409 Views
0
1 ACCEPTED SOLUTION
jamesyoung
Frequent Visitor

‎10-11-2017 03:55 PM

You are mixing the directions for user versus app authentication.  If you plan on the users not having accounts you don't need to pass in or use a clientID and SecretKey.  Here is a code example.  You will just need a username, password and clientID to login.  If you want to opena report and/or dashboard you also need a workspace guid.  Let me know if you have any questions.

 

 

     var credential = new UserPasswordCredential(Username, Password);

            // Authenticate using created credentials
            var authenticationContext = new AuthenticationContext(AuthorityUrl);
            var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);

            if (authenticationResult == null)
            {
                return View(new EmbedConfig()
                {
                    ErrorMessage = "Authentication Failed."
                });
            }

            var tokenCredentials = new TokenCredentials(authenticationResult.AccessToken, "Bearer");

            // Create a Power BI Client object. It will be used to call Power BI APIs.
            using (var client = new PowerBIClient(new Uri(ApiUrl), tokenCredentials))
            {
                // Get a list of reports.
                var reports = await client.Reports.GetReportsInGroupAsync(GroupId);

                // Get the first report in the group.
                var report = reports.Value.FirstOrDefault();

 

View solution in original post

Message 5 of 14
11,916 Views
0
13 REPLIES 13
jamesyoung
Frequent Visitor

‎10-11-2017 03:55 PM

You are mixing the directions for user versus app authentication.  If you plan on the users not having accounts you don't need to pass in or use a clientID and SecretKey.  Here is a code example.  You will just need a username, password and clientID to login.  If you want to opena report and/or dashboard you also need a workspace guid.  Let me know if you have any questions.

 

 

     var credential = new UserPasswordCredential(Username, Password);

            // Authenticate using created credentials
            var authenticationContext = new AuthenticationContext(AuthorityUrl);
            var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);

            if (authenticationResult == null)
            {
                return View(new EmbedConfig()
                {
                    ErrorMessage = "Authentication Failed."
                });
            }

            var tokenCredentials = new TokenCredentials(authenticationResult.AccessToken, "Bearer");

            // Create a Power BI Client object. It will be used to call Power BI APIs.
            using (var client = new PowerBIClient(new Uri(ApiUrl), tokenCredentials))
            {
                // Get a list of reports.
                var reports = await client.Reports.GetReportsInGroupAsync(GroupId);

                // Get the first report in the group.
                var report = reports.Value.FirstOrDefault();

 

Message 5 of 14
11,917 Views
0
paulsincai
Regular Visitor
In response to jamesyoung

‎01-28-2019 07:13 AM

Everything works fine when authenticating using user + pass but when I'm trying the auth using client secret I get the "unauthorized" message. Hints?

 

Thx,

Paul

Message 14 of 14
5,554 Views
0
Junilo
Regular Visitor
In response to jamesyoung

‎11-12-2017 08:04 PM

@jamesyoung I tried your snippet below and getting this exception:

 

 

AdalException: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\r\nTrace ID: 030b56e4-a488-406d-becc-742e836c1800\r\nCorrelation ID: fb6c997d-5324-4255-ab36-53743bd29c95\r\nTimestamp: 2017-11-13 03:59:19Z","error_codes":[70002],"timestamp":"2017-11-13 03:59:19Z","trace_id":"030b56e4-a488-406d-becc-742e836c1800","correlation_id":"fb6c997d-5324-4255-ab36-53743bd29c95"}: Unknown error

Here's what I tried:

 

 

 

static async void GetEmbedToken()
        {

// took out actual values for these

var aadUserEmail="";
var aadPassword = "";
var groupId = "";
var clientId = "";

            var credential = new UserPasswordCredential(aadUserEmail, aadPassword);

            // Authenticate using created credentials
            var authenticationContext = new AuthenticationContext("https://login.windows.net/common/oauth2/authorize/");
            var authenticationResult = await authenticationContext.AcquireTokenAsync("https://analysis.windows.net/powerbi/api", clientId, credential);

            if (authenticationResult != null)
            {
                var tokenCredentials = new TokenCredentials(authenticationResult.AccessToken, "Bearer");

                // Create a Power BI Client object. It will be used to call Power BI APIs.
                using (var client = new PowerBIClient(new Uri("https://api.powerbi.com/"), tokenCredentials))
                {
                    // Get a list of reports.

                    var reports = await client.Reports.GetReportsInGroupAsync(groupId);

                    // Get the first report in the group.
                    var report = reports.Value.FirstOrDefault();
                }
            }
        }

 

 

Message 6 of 14
10,013 Views
0
jamesyoung
Frequent Visitor
In response to Junilo

‎11-12-2017 09:10 PM

@Junilo

 

Are you trying to use the App method or the User method to login?  The user method just reuqires you have an account in Power BI and only allows users with Power BI accounts to access the report/dashboard.  The APP login method allows you to share your reports/dashboards with users who do not have a Power BI account but requires setup in Azure.

 

Jim

Message 7 of 14
10,006 Views
0
Junilo
Regular Visitor
In response to jamesyoung

‎11-12-2017 09:28 PM
@Jim, I am taking the App Owns Data approach. I have setup app in Azure AD and set permissions. I have created an app workdpace with 1 Power BI Pro user. I already have groupId and a dashboardId. Stuck on that 'Forbidden' exception when trying to generate Embed Token. My Azure AD app is a web-app one. I have read somewhere I need to setup native one?
Message 8 of 14
10,002 Views
0
Yaostha
Helper II
Helper II
In response to Junilo

‎11-12-2017 10:58 PM

Hi,

   Even i am facing the same issue. 

My setup is similar to @Junilo's setup.

 

I have registered my Web App in Azure and noted the ClientID and Client Secret.

I am not passing any user name and password so we are not using User Login authentication. 

I have pro license trial in powerBI and I have access to many dashboards. 

 

When we do App authentication, the app must have access to Dashboard or Workspace?

 

Regards,

Yasotha

Message 10 of 14
9,993 Views
0
Junilo
Regular Visitor
In response to Yaostha

‎11-12-2017 11:23 PM
From my first post, it is failing at AcquireTokenAsync where it says:

AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'
Message 11 of 14
5,937 Views
0
Yaostha
Helper II
Helper II
In response to Junilo

‎11-13-2017 03:21 AM

Same for me if I try to run the App Owns Data sample

Message 12 of 14
5,930 Views
0
Junilo
Regular Visitor
In response to Yaostha

‎11-13-2017 03:26 AM

@Yaostha and everyone having same issue, I have fixed mine. The key is to register the Azure AD app as a "Native" app, not "Server-side..." 

 

See my post here: http://community.powerbi.com/t5/Developer/Obtain-Access-Token-C-App-Owns-Data-Error/m-p/301881#M8884

Message 13 of 14
5,926 Views
0
jamesyoung
Frequent Visitor
In response to Junilo

‎11-12-2017 09:47 PM

@Junilo

 

It's probably a client ID issue.  What line of code is it failing?

Message 9 of 14
9,998 Views
0
emotix
Frequent Visitor

‎09-07-2017 11:20 AM

Small update:

 

The token we obtain is correct. We've confirmed the token used at powerbi.com matches the token we obtain for use in the API example above while observing the requests.

 

Fiddler isn't of much help with the sample app from the first post, the raw request output is below:

 

HTTP/1.1 403 Forbidden
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: deny
X-Content-Type-Options: nosniff
RequestId: 1bcbd00c-e552-46f6-9d8e-81acd7534710
Date: Thu, 07 Sep 2017 18:18:39 GMT

Any help is much appreciated.

Message 2 of 14
10,251 Views
0
noyesrichey
New Member
In response to emotix

‎10-11-2017 12:43 PM

Did you ever find a resolution for this?  I am encountering the same issue.  Please let me know.

Message 4 of 14
10,130 Views
0
noyesrichey
New Member
In response to emotix

‎10-11-2017 12:40 PM

Did you ever find a resolution for this?  I am encountering the same issue.  Please let me know.

Message 3 of 14
10,130 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All