Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
Hey There,
I hope someone can/are willing to help me out.
I'm trying to connect to Power BI's API using a service principal account and I understand in order to do this I need to use a JWT token to auth. I am getting the following error when I try to connect:
Client assertion audience claim does not match Realm issuer. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
I've done quite a lot of reading up and I just can't figure out what I'm doing wrong. Here's my token's output.
-headers: Lcobucci\JWT\Token\DataSet^ {#1882
-data: array:4 [
"typ" => "JWT"
"alg" => "RS256"
"x5t" => "SSL_FINGERPRINT"
"kid" => "SSL_FINGERPRINT"
]
}
-claims: Lcobucci\JWT\Token\DataSet^ {#1096
-data: array:8 [
"iss" => "CLIENT_ID"
"sub" => "CLIENT_ID"
"aud" => array:1 [
0 => "https://login.microsoftonline.com/TENANT_ID"
]
"jti" => "UNIQUE TOKEN"
"iat" => DateTimeImmutable @1639991673 {#695
date: 2021-12-20 09:14:33.002124 UTC (+00:00)
}
"nbf" => DateTimeImmutable @1639991733 {#2329
date: 2021-12-20 09:15:33.002124 UTC (+00:00)
}
"exp" => DateTimeImmutable @1639995273 {#2087
date: 2021-12-20 10:14:33.002124 UTC (+00:00)
}
]
And I'm posting with these values
URL: https://login.windows.net/{$tenant_id}/oauth2/token
'resource' => 'https://analysis.windows.net/powerbi/api',
'client_id' => $client_id,
'grant_type' => 'client_credentials',
'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
'client_assertion' => $client_assertion,
Thanks.
Kyle
HI @Anonymous,
Have you turned on the option on the admin portal that allows the rest API to use service principal authorizations? If not, please turn on this option first.
BTW, current the service principal only supports some read-only admin APIs, please take a look at the following links to know more about these settings and limitations:
Enable service principal authentication for read-only admin APIs - Power BI | Microsoft Docs
Regards,
Xiaoxin Sheng
Hey there,
Thank you for your response.
API service principal was already enabled.
So I'm guessing I'm missing something else.
HI @Anonymous,
According to the error message, it seems like the issue is related to the client id('iss' which you used in code), perhaps you can take a look at the following link which mentions the OAuth 2.0 client credentials and client id:
OAuth 2.0 client credentials flow on the Microsoft identity platform | Microsoft Docs
BTW, you can also try to change your aud values to the value that the document mentions if it works:
https://login.microsoftonline.com/{tenantId}/v2.0
https: //login.microsoftonline.com/{tenantId}/oauth2/token
Regards,
Xiaoxin Sheng
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.
User | Count |
---|---|
13 | |
2 | |
2 | |
1 | |
1 |
User | Count |
---|---|
20 | |
3 | |
2 | |
2 | |
2 |