cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Frequent Visitor

How to work with embed token and its limited expiration time?

I cannot figure out how embedding based on an expiring embed token makes sense. 

 

The developer has a pro license. Developer uses that license to create an embed token for a report with the purpose to embed that report into an app. Copies the embed token into the app. Builds and deploys the app. Users (without any power bi license) start interacting with the app and the embedded report. 10 minutes later the embed token has expired. Users cannot see the report. Developer has to create another embed token, copy it again into the app, deploy the app again....

 

It does not seem to make sense, what am I missing?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Microsoft
Microsoft

Re: How to work with embed token and its limited expiration time?

It is not secure to create embed tokens from client-side code. To accomplish this with the app-owns-data model, you would have to push the access token for a privledged user to the browser which would defeat much of the motivation for using embed tokens to begin with.

 

You should only create embed tokens from server-side code. The server-side code must pass the master user Azure AD access token to the Power BI Service API to create an embed token. But that is a secure server-to-server call.  Then you pass the embed token to the client-side to perform the actual embedding. 

 

When using the app-owns-data model, you should generate an embed token any time you embed a Power BI resource on a page. Generally, your application needs server-side code and a development platform that supports that such as ASP.NET, ASP Core or Node.js.

 

If you are truly creating an SPA that has no server-side code (e.g. AngularJS, React.js), you are really restricted to first-party embedding with the user-owns-data model because you cannot implement third-party embedding with the apps-own-data model securely.

View solution in original post

4 REPLIES 4
Highlighted
Frequent Visitor

Re: How to work with embed token and its limited expiration time?

I would make sense, if there were a possibility to set the expiration time when the embed token is generated. But I do not see a parameter for this in the generate token REST API.

Highlighted
Frequent Visitor

Re: How to work with embed token and its limited expiration time?

The more I read the more I get the understanding that the app that is trying to show reports, is not independent of a power bi account at all. The developer needs to hard-code the master credentrials (username and password) into the app. Everytime the app is used all embed tokens have to be created anew. Everytime the app is used an authorization with the master credentials to azure has to be done. 

 

The part of authenticating with azure and creating the embed tokens should obviously not be done in any frontend code that a user has access to. 

 

Maybe in azure functions? Does the application really need to authenticate, create embed token and embed everytime the user wants to see a report?

Highlighted
Microsoft
Microsoft

Re: How to work with embed token and its limited expiration time?

It is not secure to create embed tokens from client-side code. To accomplish this with the app-owns-data model, you would have to push the access token for a privledged user to the browser which would defeat much of the motivation for using embed tokens to begin with.

 

You should only create embed tokens from server-side code. The server-side code must pass the master user Azure AD access token to the Power BI Service API to create an embed token. But that is a secure server-to-server call.  Then you pass the embed token to the client-side to perform the actual embedding. 

 

When using the app-owns-data model, you should generate an embed token any time you embed a Power BI resource on a page. Generally, your application needs server-side code and a development platform that supports that such as ASP.NET, ASP Core or Node.js.

 

If you are truly creating an SPA that has no server-side code (e.g. AngularJS, React.js), you are really restricted to first-party embedding with the user-owns-data model because you cannot implement third-party embedding with the apps-own-data model securely.

View solution in original post

Highlighted
Frequent Visitor

Re: How to work with embed token and its limited expiration time?

Thank you for your answer. I came to the same conclusion. I think I will try to set up the server part as an Azure Function.

Helpful resources

Announcements
August 2020 Community Challenge: Can You Solve These?

August 2020 Community Challenge: Can You Solve These?

We're excited to announce our first cross-community 'Can You Solve These?' challenge!

Community Blog

Community Blog

Visit our Community Blog for articles, guides, and information created by fellow community members.

Upcoming Events

Upcoming Events

Wondering what events you could join or have an event to promote yourself? Check out our Upcoming Events.

Get Ready for Power BI Dev Camp

Get Ready for Power BI Dev Camp

We are thrilled to announce we will begin running a monthly webinar series named Power BI Dev Camp.