Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Anonymous
Not applicable

How was authentication accomplished in ArcGIS Maps for Power BI?

‎04-13-2020 10:43 AM

Hi!

 

Our organization is interested in developing a custom visual that allows users to authenticate to a third-party service, just like ArcGIS Enterprise in their custom visual, Maps for Power BI (See "New connections options" in March 2020 feature summary). Any clues for how could such UI interaction be accomplished?

 

We're thinking of approaching this via React, although we're facing difficulties:

  • with routing since React Router uses URL changes (and the URL is not exposed to the custom visual).
  • with the authentication token persistence since Cookes are not allowed due to security concerns

Any help will be greatly appreciated

-Andres F

 

Labels:
Message 1 of 4
725 Views
0
3 REPLIES 3
dm-p
Super User
Super User

‎04-13-2020 01:24 PM

Hi @Anonymous,

The key difference here is that the ArcGIS is an incredibly special case: it's a core visual provided by a third party, rather than a custom visual, and as such is subject to elevated privileges in the main UI window.

Due to iframe sandboxing with custom visuals, there are two ways to work with external URLs at this time:

  • Using the IVisualHost.launchUrl()method, which opens URLs in a new tab, after confirmation from the user running the report that this is okay. There's no callback functionality, so can't be used to persist cookies etc. back to the calling iframe.
  • Async calls to endpoints that are seved over HTTPS and have an Access-Control-Allow-Origin of any (*).

I am aware of a couple of vendors whose visuals are part of a suite of services they provide and have had to manage auth back these systems in their custom visuals by providing users with resources such as user-specific API keys that they can add as properties to the visual and validate these using the second method.

Your scenario isn't something I've needed to explore previusly, but if I were to attempt your challenge and I'm using React, I might start with the following thought process:

  • If I don't have a valid token, I could use React component state to present a 'login screen' to the user instead of the regular visual view.
    • You might also be able to do this using the landing page API instead, so you have some specific workflow around it.
  • If my authenticating endpoint can be served over HTTPS and is basically a web service, then I could use an async call from this form in my code to submit credentials and retrieve a token.
    • As the request comes from an empty domain, there's no easy way to shore up your endpoint to accept requests specifically from Power BI.
    • Therefore you may need some kind of additional key-based auth against your API that only the visual knows about to prevent potential DDoS scenarios.
  • This token could be persisted into the visual's objects by setting up a place for it in my capabilities.
    • This would be a proxy for cookies or other browser-based storage.
    • You can also hide capabilities from the end-user, so that you can use them to store values you don't want exposing in the pane. I've done a simple example here - this is for show/hide based on another property, but you could just tell the method to always hide objects you don't want exposing in the UI.
  • You could use IVisualHost.persistProperties to store a token in the visual's objects without any interaction from the user, ready for any updates or subsequent reloads.
    • There's unfortunately no doc for this method, but you can find the interfaces needed for this to work in the typings.
    • Note that this will trigger an update method in your visual, so if you're doing anything asynchronous while this is going on, you might want to wait for those to complete before firing this step.
  • When the visual next fires up, you can retrieve this token as part of the regular settings parsing, and possibly check for validity and go back to the start if the token has expired for re-auth.

This is the result of a couple minutes' brainstorming, so not suggesting it's definitely a way to do this but might open some avenues for you.

Probably not the answer you were after, I'm sure, but hopefully may allow you to approach the challenge from a different angle.

Good luck,

Daniel





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!


My course: Introduction to Developing Power BI Visuals


On how to ask a technical question, if you really want an answer (courtesy of SQLBI)




Message 2 of 4
704 Views
Anonymous
Not applicable
In response to dm-p

‎04-21-2020 02:20 PM

Thanks a lot for your thorough response, @dm-p ! It definitely sheds some light in how to approach our desired requirements.

Regarding authentication, however, we have the particularity of it being restricted to open id connect, so we do need to show a confirmation dialog that would then return the access token (not just an "async call from this form in my code to submit credentials and retrieve a token").   

 

We're thinking of serving this dialog via a popup; would you happen to know if there are also restrictions for popups form Power BI?  

 

Message 3 of 4
651 Views
0
dm-p
Super User
Super User
In response to Anonymous

‎04-21-2020 03:46 PM

Hi @Anonymous,

I'm fairly sure this isn't an option. If you inspect the visual's iframe you'll only see the following attribute set for sandbox:

image.png

As allow-modals and allow-popups are not set, then the sandbox should not permit this to happen.

Personally, I have had limited success with getting an alert() to work in Power BI Desktop, but not in the Service when the report is deployed, or when using the developer visual so have abandoned any further attempts.

I think that if you want to implement via OAuth-based login, then this avenue may not be open to you - I have had discussions with colleagues in this space who offer commercial visuals who have had no luck implementing or requesting the sandox limitations be lifted so that they can.

You can try contacting the team at pbicvsupport@microsoft.com to see if they have any further suggestions, but I suspect you might get a similar answer, unfortunately. Can't hurt to ask though if you need a definitve answer from MS.

Regards,

Daniel





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!


My course: Introduction to Developing Power BI Visuals


On how to ask a technical question, if you really want an answer (courtesy of SQLBI)




Message 4 of 4
639 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All