Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
abshirey
Employee
Employee

OAuth2 Data Connector with PKCE

‎03-04-2020 01:22 PM

Hi, I'm trying to implement a custom OAuth2 data connector with PKCE to call a rest api, so I do not have to use confidential client secrets in the report. However, I can't get the authorization to validate successfully and have not found a working example of an OAuth2 data connector that does not rely on shared secrets. It is my understanding that the OAuth2 data connector supports getting an access token via the auth code flow with PKCE. Can anyone confirm that using PKCE with a custom OAuth2 data connector is possible? If so, can anyone direct me to a working example? Thank you!

Labels:
Message 1 of 6
2,545 Views
0
5 REPLIES 5
v-juanli-msft
Community Support
Community Support

‎03-05-2020 08:03 PM

Hi @abshirey 

Are the references below helpful?

https://docs.microsoft.com/en-us/power-query/handlingauthentication

Power Query extensions are evaluated in applications running on client machines.

Data Connectors should not use confidential secrets in their OAuth flows, as users may inspect the extension or network traffic to learn the secret.

See the Proof Key for Code Exchange by OAuth Public Clients RFC (also known as PKCE) for further details on providing flows that don't rely on shared secrets.

 

Best Regards
Maggie
Community Support Team _ Maggie Li
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

 

ccc

Message 2 of 6
2,512 Views
0
neil_varnas_IP
Helper I
Helper I
In response to v-juanli-msft

‎05-14-2020 11:15 PM

Hi @v-juanli-msft , @abshirey 

I'm working through the implementation of PKCE authentication flow for our certified connector and wondered if you could assist with a few questions I have:

  1. The flow works fine when using code_challenge_method with a value plain. However, this is not the recommended method and hashing the verification code is highly advised (in addition to a few other things, see formula below)
    BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
    Does M language (Power Query) has an out-of-the-box function to do the hashing?
  2. What is the best way to store code verifier value for the user session? As far as I can see if one assigns a value to a variable it persists for the OAuth flow but when it comes to refreshing the access token a new value is used. Please advice on best practice. 

Thanks

Message 4 of 6
2,394 Views
0
abshirey
Employee
Employee
In response to neil_varnas_IP

‎05-15-2020 08:30 AM

Hi @neil_varnas_IP 

 

As far as I know, there isn't a sha_256 method in the M language. If you wanted to use this code_challenge_method, maybe you could generate the code_challenge with a Python script in Power BI, set the output as a env variables and reference them in the connector? This is a random suggestion, I haven't researched if this is possible.

 

I used the plain code_challenge method and created the code_verifier and code_challenge in the StartLogin method by concatenating two guids together: Text.NewGuid() + Text.NewGuid(). I got this idea from the GitHub post: https://github.com/microsoft/DataConnectors/issues/280#issuecomment-589651327 . It also shows how to pass it in as an optional fourth parameter to the TokenMethod so you can still use the refresh method. 

 

Hope that helps! If you decide to use the plain method with guids and have any implementation issues, let me know

Message 5 of 6
2,379 Views
0
neil_varnas_IP
Helper I
Helper I
In response to abshirey

‎05-18-2020 02:05 AM

Hi @abshirey ,

 

Thanks for your quick response. That link was a massive help to get the verification code passed around. Re S256 hashing, I keep it a plain code just now, hopefully, in the future we'll get some additional helper functions to get it the value hashed and make it more secure. 
Thanks

Message 6 of 6
2,327 Views
0
abshirey
Employee
Employee
In response to v-juanli-msft

‎03-09-2020 01:28 PM

Hi Maggie, 

 

Those links are helpful. I used those along with the GitHub samples repo to create my data connector. 

 

The problem I'm having, which I can't find a solution for in linked sites, exchanging an authorization token for an access token is not successful. The PKCE code verification is successful. This problem could be due to AAD permissions as the app I'm trying to access is registered in AAD, OAuth2 authorization, or how the data connector. If you could suggest any resources about how to use OAuth2 authorization code grant with PKCE in Power BI for an app registered in AAD, I would appreciate it! Do you know if any specific permissions need to be requested in the scope or approved on the azure portal? 

Message 3 of 6
2,478 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All