Solved: App only authentication - oAuth2 token request

ricus_zero · ‎08-06-2019

Hi everyone

I'm making use of app-only authentication (the app owns data method), I've already set up a new group and created a service principle, as well as enabled the "Allow service principle to use Power BI Apps" option in Power BI, where I added the group to as well.

I've followed some online videos and from my understanding, this service principle should now be able to make user-related calls. The idea is to get dashboard and report embeds using the app / service principle that was created and given access to.

My question is how do I perform the oauth token request with the app id and secret I have? The app in question is a web app, and I have a linux machine so can't run the c# examples, I'm yet to see a simple Curl / php example of authenticating.

I'm trying to set this up in Postman, but I'm not sure which grant type and scope to use, could someone please help point me in the right direction of how to actually authenticate as the app / service principle with the token endpoint provided for the app?

Thanks

Jayendran · ‎08-06-2019

Hi @ricus_zero you can use the below query in postman, basically you should use the grant type as client_credentials

resource:https://analysis.windows.net/powerbi/api
client_id:xxxxx
client_secret:xxxx
grant_type:client_credentials

View solution in original post

ricus_zero · ‎08-06-2019

Hi @Jayendran

Thanks for the prompt response!

I noticed your token endpoint is the v1 endpoint and not the /oauth2/v2.0/token one, is there a reason for that?

That screenshot helped a lot, I was able to get an access token using the token endpoint you used (not v2), but the same does not work for v2, do you know why this might be?

Regardless, after I got the access token I attempted getting a list of reports making a GET request to https://api.powerbi.com/v1.0/myorg/reports - but I'm getting the following response:

The app is part of a group to which I have given access inside of the tenant settings in PowerBI, am I missing something?

I'd like to mention again the end result here is for me to get embed urls for reports and dashboards, I think the endpoint I was checking is what I need but I might be wrong.

I noticed this section in the documentation regarding embed tokens, but that requires scopes that we did not supply with the token request?

Thanks again for the help

Jayendran · ‎08-07-2019

Hi @ricus_zero

As per microsoft they used v1. So It's a standard for us to use V1 whenever we login using microsoft.

Coming back to your error..

There are many difference in pro account autentication and SPN autentication.I'd recommed you to ref...

Actually you are calling a API https://api.powerbi.com/v1.0/myorg/reports which is My Workspace This is the default workspace given to your account by PowerBI.

SPN won't able to access My Workspace, because you can only able to access it, not a service account/SPN.

What you can do now ?

Create a new workspace
Add the SPN as the Admin to the new workspace
Publish the report in that workspace
Call the REST API GET https://api.powerbi.com/v1.0/myorg/groups/{groupId}/reports/{reportId} which the SPN token

ricus_zero · ‎08-07-2019

Hi @Jayendran

Once again coming in with the rock solid response.

Now that you mention it that makes a lot of sense, so in essence, we would require a pro account because only pro accounts can create new workspaces?

For the time being, I've enabled the trial pro account to test this out.

I created a new workspace, when it comes to assigning the service principle as admin to the new workspace, It's not picking it up in the auto complete? Is this feature available on the gui yet? (I remember from a video I watched, that a few months back this wasn't possible from the interface and the SPN had to be added via PowerShell)

For reference, I have a group called Power BI Apps, which has been added under tenant settings:

In Azure AD when I navigate to this group and click on members, I can see the service principle there

When attempting to add this it's not picked up, is this because it's not possible from the gui?

Regards

Jayendran · ‎08-07-2019

Hi @ricus_zero

Even SPN can able to create new workspace (V2). If you refered the difference between pro and SPN . you can find that solution.

There are 2 types of workspaces

Classical (v1)
Upgraded (v2)

PRO have access to both workspace, but SPN should have only v2 workspace. So if you are trying to add your your SPN in V1 workspace it won't work/ show.

You can add the SPN only in the V2 (Upgraded workspace) (from GUI)

Pls see the below screenshot I can able to search the app id in my V2 workspace

ricus_zero · ‎08-07-2019

Hi @Jayendran

Sorry for all the questions, your help has been tremendous so far!

Am I correct in saying that it's possible for a normal license to create new workspaces via the service principle? (API call)

I attempted to create a new workspace via the REST API, making a call to the groups endpoint which got a 403 initially, I tried my luck and added the required scope to the access token call, and magic happened, I could now create a new workspace via the api, and then I assigned this workspace to my PowerBI user so that they can view it as well.

I added some of the sample dashboards and reports to this new workspace that was created via the api

So moving on from that, I then attempted to get the dashboard with the get dashboard endpoint, and got that "API is not accessible for application" response again.

I then had a look at the Embed Token documentation since it's relevant to the App owns data scenario which if I'm not mistaken is what we are dealing with here.

I attempted to get an embed token for said dashboard. I once again had to change the scopes defined when getting the oauth access token, but after that I was able to get a proper response which includes the token / tokenId / expirtation and @odata.context

Now a seemingly simple question of, how do I actually use this embed token in our web app to display the embedded dashboard?

Hope you can help with this

Thanks

Jayendran · ‎08-07-2019

Hi @ricus_zero

Am I correct in saying that it's possible for a normal license to create new workspaces via the service principle? (API call)

Yes you are correct

You shouldn't use get dashboard API using SPN token Instead use get dashboard in group

Now a seemingly simple question of, how do I actually use this embed token in our web app to display the embedded dashboard?

You can use SDK's See App owns data in dotnet

Basically you need to pass the embed token to PowerBI Javascript

<script>
    // Read embed application token from Model
    var accessToken = "@Model.EmbedToken.Token";
    // Read embed URL from Model
    var embedUrl = "@Html.Raw(Model.EmbedUrl)";
    // Read dashboard Id from Model
    var embedDashboardId = "@Model.Id";
    // Get models. models contains enums that can be used.
    var models = window['powerbi-client'].models;
    // Embed configuration used to describe the what and how to embed.
    // This object is used when calling powerbi.embed.
    // This also includes settings and options such as filters.
    // You can find more information at https://github.com/Microsoft/PowerBI-JavaScript/wiki/Embed-Configuration-Details.
    var config = {
        type: 'dashboard',
        tokenType: models.TokenType.Embed,
        accessToken: accessToken,
        embedUrl: embedUrl,
        id: embedDashboardId
    };
    // Get a reference to the embedded dashboard HTML element
    var dashboardContainer = $('#dashboardContainer')[0];
    // Embed the dashboard and display it within the div container.
    var dashboard = powerbi.embed(dashboardContainer, config);
</script>

BTW you can give Like/give kudo's to my replies if you find it useful, by this way it will help others.

ricus_zero · ‎08-07-2019

Hi @Jayendran

I've given you a few thumbs-ups for your help, and will mark a solution soon.

I'm running Linux so don't have a c# environment, but I pulled down the javascript package from their Github.

I was a little confused with where the value of embedUrl comes from, since it's not in the response, but fiddling a little I figured out it's just https://app.powerbi.com/dashboardEmbed?dashboardId=XXX

I've now been able to embed both a dashboard and a report in my sample web app, making use of the embed token functionality, and once again thanks so much for your help today, I've been struggling with this for over a week.

I did notice the lifetime of that token from embed token isn't very long, so it's something I would need to keep in mind when developing the full application.

Hope you have a great day.

Thanks again!