Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Ameb
Helper I
Helper I

oauth token as AAD / embed token API via AAD

‎05-08-2018 12:29 AM

Hello

 

We have found that is possible to embed reports in a way similar to "user owns data" scenario in wich the application handles the user authetication. It is not documented by Microsoft 

 

  1. "user owns data" example: Authentication via Azure redirection, AAD token used for embedding
  2. "app owns data" example: Authetication with username/password sent from the application. Since we used .Net Core we rely on oAuth a POST request to openID endpoint. The bearer token is used with the Embedding API to generate embedding token
  3. Undocumented: Authentication via Azure redirection, use Embedding API to generate embedding token. This makes little sense.
  4. Undocumented: Authentication without user interaction (like 2, oauth openID), no use of embedding API. This is useful for embedding when you always show the same reports with the same data for multiple users, or you have a few users and they won't be prompted with the redirection.

 

We understand AD redirection is way more safe and reliable, but the oAuth openid POST could be used when user's login is unrelated to Azure.

 

  • Are scenarios 3 and 4 supported? 
  • Are there any difference between the token returned from the oauth POST and the AAD token returned when using redirection?

 

// oauth authetication
...
            using (var client = new HttpClient())
            {
                var result = await client.PostAsync(oauthEndpoint, new FormUrlEncodedContent(new[]
                {
                    new KeyValuePair<string, string>("resource", ResourceUrl),
                    new KeyValuePair<string, string>("client_id", ClientId),
                    new KeyValuePair<string, string>("grant_type", "password"),
                    new KeyValuePair<string, string>("username", username),
                    new KeyValuePair<string, string>("password", password),
                    new KeyValuePair<string, string>("scope", "openid"),
                }));

                var content = await result.Content.ReadAsStringAsync();
                var oar = JsonConvert.DeserializeObject<OAuthResult>(content);
                // Bearer token is the default
                return oar.AccessToken;
            }
        }

...

class OAuthResult
{
    [JsonProperty("token_type")]
    public string TokenType { get; set; }
    [JsonProperty("scope")]
    public string Scope { get; set; }
    [JsonProperty("expires_in")]
    public int ExpiresIn { get; set; }
    [JsonProperty("ext_expires_in")]
    public int ExtExpiresIn { get; set; }
    [JsonProperty("expires_on")]
    public int ExpiresOn { get; set; }
    [JsonProperty("not_before")]
    public int NotBefore { get; set; }
    [JsonProperty("resource")]
    public Uri Resource { get; set; }
    [JsonProperty("access_token")]
    public string AccessToken { get; set; }
    [JsonProperty("refresh_token")]
    public string RefreshToken { get; set; }
}

 

 

 

 

Labels:
Message 1 of 3
3,858 Views
0
2 REPLIES 2
v-micsh-msft
Employee
Employee

‎05-09-2018 07:51 PM

I am not fully understand what you mean for the 3rd question about the "Azure Redirection" if possible, could you please explain a bit for that?

For the 4th question, you may take a look at the Publish to Web.

 

Power BI API would reuqire a Pro account to access the related reports and resources, so it would need to authenticate through AAD.

 

Regards,

Michael

Message 2 of 3
3,797 Views
0
Ameb
Helper I
Helper I
In response to v-micsh-msft

‎05-10-2018 12:00 AM

Thank you Michael for your reply

 

With azure redirection i mean the redirection to the Azure sign-in page. It is the documented way for "user owns data" scenario.

 

 

In scenario 4 we are using the authentication explained here: http://community.powerbi.com/t5/Developer/Embed-Power-BI-dashboard-in-ASP-Net-core/m-p/284314/highli...

also here: http://community.powerbi.com/t5/Developer/problem-getting-authentication-token-from-AAD/m-p/333921/h...

 

We are worried about using the AD token retrieved via oauth openID endpoint POST for embedding (Scenario 4 in first post). It is supported?

Publish to web is not applicable.

 

Edit: openID endpoint, not oauth. I confused some terms

Message 3 of 3
3,793 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All