Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
MaxW
Advocate II
Advocate II

Embedding without hard-coding master credentials (app owns data)

‎11-05-2017 12:20 PM

Hi, 

 

I've got Power BI Embedded capacity and trying to follow the instructions for the ISV 'app owns data' scenario to get reports into our web app. 

We've hit a bit of a roadblock as it appears there is a requirement for the master credentials to be hard coded within the application. Is this the case? It seems very insecure, there must be a way to authenticate using an access token? We are also struggling to use the samples and API's as they are all .net and our web application is Java. 

 

from https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-embedding-content/:

"If you are embedding content for your customers, you will store the credentials for the master account within your application"


Labels:
Message 1 of 7
9,604 Views
0
1 ACCEPTED SOLUTION
Eric_Zhang
Employee
Employee

‎11-06-2017 12:49 AM
@MaxW wrote:

Hi, 

 

I've got Power BI Embedded capacity and trying to follow the instructions for the ISV 'app owns data' scenario to get reports into our web app. 

We've hit a bit of a roadblock as it appears there is a requirement for the master credentials to be hard coded within the application. Is this the case? It seems very insecure, there must be a way to authenticate using an access token? We are also struggling to use the samples and API's as they are all .net and our web application is Java

 

from https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-embedding-content/:

"If you are embedding content for your customers, you will store the credentials for the master account within your application"

@MaxW

AFAIK, yes, the master credential has to be hard coded in your application. The way Power BI authenticates is using an access token which is generated with the master credential. If you have concern about the credential security, you could apply some encrypt and decrypt functions in your application instead of hard code the credential as plain text. 

 

In Java, instead of the SDK in .Net, you can reference the Power BI REST APIs and some other Azure AD authentication REST APIs.

eg, you could get the access token with below POST API.

POST /common/oauth2/token HTTP/1.1
Host: login.windows.net 
Content-Type: application/x-www-form-urlencoded

client_id={client id}&grant_type=password&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&username={your master account}&password={your account password}

With the access token, you can call Get Reports to get reportId&EmbedUrl and GenerateToken to get Embed token for specific reports.

 

As to embedding, use Power BI Javascript API. See a demo in a static HTML.

 

<html>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.js"></script>
<script src="powerbi.js"></script>

<script type="text/javascript">
window.onload = function () {
 // Read embed application token from Model
    var accessToken = "embed token"; 
	
    // Read embed URL from Model
    var embedUrl = "embed url";

    // Read dashboard Id from Model
    var embedReportId = "reportid";

    // Get models. models contains enums that can be used.
    var models = window['powerbi-client'].models; 
	 
    var config = {
        type: 'report',
        tokenType: models.TokenType.Embed,
        accessToken: accessToken,
        embedUrl: embedUrl,
        id: embedReportId , 
		settings: {
        filterPaneEnabled: true	
    }		 
    };

    // Get a reference to the embedded dashboard HTML element
    var dashboardContainer = $('#reportContainer')[0] ;

    // Embed the dashboard and display it within the div container.
var reports = powerbi.embed(dashboardContainer, config); 
  
</script>  
<div id="reportContainer"></div> 
</html>

 

View solution in original post

Message 2 of 7
10,935 Views
0
6 REPLIES 6
Eric_Zhang
Employee
Employee

‎11-06-2017 12:49 AM
@MaxW wrote:

Hi, 

 

I've got Power BI Embedded capacity and trying to follow the instructions for the ISV 'app owns data' scenario to get reports into our web app. 

We've hit a bit of a roadblock as it appears there is a requirement for the master credentials to be hard coded within the application. Is this the case? It seems very insecure, there must be a way to authenticate using an access token? We are also struggling to use the samples and API's as they are all .net and our web application is Java

 

from https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-embedding-content/:

"If you are embedding content for your customers, you will store the credentials for the master account within your application"

@MaxW

AFAIK, yes, the master credential has to be hard coded in your application. The way Power BI authenticates is using an access token which is generated with the master credential. If you have concern about the credential security, you could apply some encrypt and decrypt functions in your application instead of hard code the credential as plain text. 

 

In Java, instead of the SDK in .Net, you can reference the Power BI REST APIs and some other Azure AD authentication REST APIs.

eg, you could get the access token with below POST API.

POST /common/oauth2/token HTTP/1.1
Host: login.windows.net 
Content-Type: application/x-www-form-urlencoded

client_id={client id}&grant_type=password&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&username={your master account}&password={your account password}

With the access token, you can call Get Reports to get reportId&EmbedUrl and GenerateToken to get Embed token for specific reports.

 

As to embedding, use Power BI Javascript API. See a demo in a static HTML.

 

<html>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.js"></script>
<script src="powerbi.js"></script>

<script type="text/javascript">
window.onload = function () {
 // Read embed application token from Model
    var accessToken = "embed token"; 
	
    // Read embed URL from Model
    var embedUrl = "embed url";

    // Read dashboard Id from Model
    var embedReportId = "reportid";

    // Get models. models contains enums that can be used.
    var models = window['powerbi-client'].models; 
	 
    var config = {
        type: 'report',
        tokenType: models.TokenType.Embed,
        accessToken: accessToken,
        embedUrl: embedUrl,
        id: embedReportId , 
		settings: {
        filterPaneEnabled: true	
    }		 
    };

    // Get a reference to the embedded dashboard HTML element
    var dashboardContainer = $('#reportContainer')[0] ;

    // Embed the dashboard and display it within the div container.
var reports = powerbi.embed(dashboardContainer, config); 
  
</script>  
<div id="reportContainer"></div> 
</html>

 

Message 2 of 7
10,936 Views
0
MaxW
Advocate II
Advocate II
In response to Eric_Zhang

‎11-20-2017 03:57 PM

Hi @Eric_Zhang,

 

I finally got the tokens working thanks to your post, but I'm now stuck on the RLS. Maybe I'm misunderstanding how it is supposed to work?

I generate an access token using the master account, then use that token to generate an embed token with a variable username like so:

{   
    "accessLevel": "View",
    "identities": [     
        {      
            "username": "Org19",
            "roles": [ "OrganisationUser" ],
            "datasets": [ "5f5...0d5f5" ]
        }   
    ] 
}

I then have a report with the role "OrganisationUser" and the Organisation table filtered as [OrganisationIdString]=USERNAME()

In the report I have a card showing the measure that is 'User=USERNAME()'

The report runs In the javascript sample https://microsoft.github.io/PowerBI-JavaScript/demo/v2-demo/index.html

but I expect the card to show 'Org19' but instead it shows my master account username.

Am I close or doing this totally wrong?

Message 4 of 7
9,519 Views
0
Eric_Zhang
Employee
Employee
In response to MaxW

‎11-20-2017 10:57 PM

@MaxW

I don't have problem generating the RLS token, the username shows what it is passed in the JSON body. Please post more details how you generate the embedded token.

Measure=USERNAME()

 

Capture.PNG

Message 5 of 7
9,509 Views
0
MaxW
Advocate II
Advocate II
In response to Eric_Zhang

‎11-21-2017 12:28 PM

Hi Eric,

I'm so sorry for wasting your time here, I was generating the token using curl and think I had wrapped the JSON incorrectly so it was getting ignored. Everything seems to be working now thank you so much for your help! 

Message 6 of 7
9,501 Views
0
Eric_Zhang
Employee
Employee
In response to MaxW

‎11-22-2017 12:35 AM

No problem.Smiley Happy

Message 7 of 7
9,490 Views
0
MaxW
Advocate II
Advocate II
In response to Eric_Zhang

‎11-06-2017 12:35 PM

Hi Eric, 

Thank you this is a very comprehensive and helpful reply. I will pass it on to our app developers and see if there is a way we can satisfy the security concerns.

Kind regards,

 

Max

Message 3 of 7
9,578 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All