Power BI Api - JWT Auth

Anonymous · ‎12-20-2021

Hey There,

I hope someone can/are willing to help me out.

I'm trying to connect to Power BI's API using a service principal account and I understand in order to do this I need to use a JWT token to auth. I am getting the following error when I try to connect:

Client assertion audience claim does not match Realm issuer. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .

I've done quite a lot of reading up and I just can't figure out what I'm doing wrong. Here's my token's output.

 -headers: Lcobucci\JWT\Token\DataSet^ {#1882
    -data: array:4 [
      "typ" => "JWT"
      "alg" => "RS256"
      "x5t" => "SSL_FINGERPRINT"
      "kid" => "SSL_FINGERPRINT"
    ]
   }
  -claims: Lcobucci\JWT\Token\DataSet^ {#1096
    -data: array:8 [
      "iss" => "CLIENT_ID"
      "sub" => "CLIENT_ID"
      "aud" => array:1 [
        0 => "https://login.microsoftonline.com/TENANT_ID"
      ]
      "jti" => "UNIQUE TOKEN"
      "iat" => DateTimeImmutable @1639991673 {#695
        date: 2021-12-20 09:14:33.002124 UTC (+00:00)
      }
      "nbf" => DateTimeImmutable @1639991733 {#2329
        date: 2021-12-20 09:15:33.002124 UTC (+00:00)
      }
      "exp" => DateTimeImmutable @1639995273 {#2087
        date: 2021-12-20 10:14:33.002124 UTC (+00:00)
      }
    ]

And I'm posting with these values

URL: https://login.windows.net/{$tenant_id}/oauth2/token

'resource' => 'https://analysis.windows.net/powerbi/api',
'client_id' => $client_id,
'grant_type' => 'client_credentials',
'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
'client_assertion' => $client_assertion,

Thanks.

Kyle

v-shex-msft · ‎12-23-2021

HI @Anonymous,

Have you turned on the option on the admin portal that allows the rest API to use service principal authorizations? If not, please turn on this option first.

BTW, current the service principal only supports some read-only admin APIs, please take a look at the following links to know more about these settings and limitations:

Embed Power BI content in an embedded analytics application with service principal and an application secret - Power BI | Microsoft Docs

Enable service principal authentication for read-only admin APIs - Power BI | Microsoft Docs

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.

Anonymous · ‎12-23-2021

Hey there,

Thank you for your response.

API service principal was already enabled.

So I'm guessing I'm missing something else.

v-shex-msft · ‎12-27-2021

HI @Anonymous,

According to the error message, it seems like the issue is related to the client id('iss' which you used in code), perhaps you can take a look at the following link which mentions the OAuth 2.0 client credentials and client id:

OAuth 2.0 client credentials flow on the Microsoft identity platform | Microsoft Docs

BTW, you can also try to change your aud values to the value that the document mentions if it works:

https://login.microsoftonline.com/{tenantId}/v2.0
https: //login.microsoftonline.com/{tenantId}/oauth2/token

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.

Power BI Api - JWT Auth

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024