Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
111peter111
Frequent Visitor

How to work with embed token and its limited expiration time?

‎10-04-2018 05:37 AM

I cannot figure out how embedding based on an expiring embed token makes sense. 

 

The developer has a pro license. Developer uses that license to create an embed token for a report with the purpose to embed that report into an app. Copies the embed token into the app. Builds and deploys the app. Users (without any power bi license) start interacting with the app and the embedded report. 10 minutes later the embed token has expired. Users cannot see the report. Developer has to create another embed token, copy it again into the app, deploy the app again....

 

It does not seem to make sense, what am I missing?

Labels:
Message 1 of 5
3,299 Views
0
1 ACCEPTED SOLUTION
TedPattison
Employee
Employee
In response to 111peter111

‎10-04-2018 11:23 AM

It is not secure to create embed tokens from client-side code. To accomplish this with the app-owns-data model, you would have to push the access token for a privledged user to the browser which would defeat much of the motivation for using embed tokens to begin with.

 

You should only create embed tokens from server-side code. The server-side code must pass the master user Azure AD access token to the Power BI Service API to create an embed token. But that is a secure server-to-server call.  Then you pass the embed token to the client-side to perform the actual embedding. 

 

When using the app-owns-data model, you should generate an embed token any time you embed a Power BI resource on a page. Generally, your application needs server-side code and a development platform that supports that such as ASP.NET, ASP Core or Node.js.

 

If you are truly creating an SPA that has no server-side code (e.g. AngularJS, React.js), you are really restricted to first-party embedding with the user-owns-data model because you cannot implement third-party embedding with the apps-own-data model securely.

View solution in original post

Message 4 of 5
3,266 Views
0
4 REPLIES 4
111peter111
Frequent Visitor

‎10-04-2018 06:48 AM

I would make sense, if there were a possibility to set the expiration time when the embed token is generated. But I do not see a parameter for this in the generate token REST API.

Message 2 of 5
3,279 Views
0
111peter111
Frequent Visitor
In response to 111peter111

‎10-04-2018 09:20 AM

The more I read the more I get the understanding that the app that is trying to show reports, is not independent of a power bi account at all. The developer needs to hard-code the master credentrials (username and password) into the app. Everytime the app is used all embed tokens have to be created anew. Everytime the app is used an authorization with the master credentials to azure has to be done. 

 

The part of authenticating with azure and creating the embed tokens should obviously not be done in any frontend code that a user has access to. 

 

Maybe in azure functions? Does the application really need to authenticate, create embed token and embed everytime the user wants to see a report?

Message 3 of 5
3,267 Views
0
TedPattison
Employee
Employee
In response to 111peter111

‎10-04-2018 11:23 AM

It is not secure to create embed tokens from client-side code. To accomplish this with the app-owns-data model, you would have to push the access token for a privledged user to the browser which would defeat much of the motivation for using embed tokens to begin with.

 

You should only create embed tokens from server-side code. The server-side code must pass the master user Azure AD access token to the Power BI Service API to create an embed token. But that is a secure server-to-server call.  Then you pass the embed token to the client-side to perform the actual embedding. 

 

When using the app-owns-data model, you should generate an embed token any time you embed a Power BI resource on a page. Generally, your application needs server-side code and a development platform that supports that such as ASP.NET, ASP Core or Node.js.

 

If you are truly creating an SPA that has no server-side code (e.g. AngularJS, React.js), you are really restricted to first-party embedding with the user-owns-data model because you cannot implement third-party embedding with the apps-own-data model securely.

Message 4 of 5
3,267 Views
0
111peter111
Frequent Visitor
In response to TedPattison

‎10-05-2018 08:41 AM

Thank you for your answer. I came to the same conclusion. I think I will try to set up the server part as an Azure Function.

Message 5 of 5
3,256 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All