Solved: Web Connector for Customer Web API

dbeavon3 · ‎01-03-2022

Is anyone familiar with the OAuth2 handshake between Power BI's "Web" connector and the AAD?

I have a customer with a proprietary web api. The API can be changed as needed to perform the oauth2 handshake that generates an access token for use by the Power Query import.

But no matter what we do, the handshake is not being performed correctly. The web api starts by properly generating the HTTP 401 WWW-AUTHENTICATE, and that gets us pretty far. But the error we are getting from Power Query is very problematic: "invalid_resource / resource principal was not found in the tenant". See image:

For some reason the "Web" connector is not very flexible, and requires a strict resource URI. It always expects to use a rigid one that is based on the HTTP address:

IE. see docs

https://docs.microsoft.com/en-us/power-query/connectorauthentication

"Power Query would expect your Application ID URL value to be equal to https://api.myservice.com."

I guess in our example, the resource URI that it is probably requiring is http://localhost (not https://api.myservice.com).

But we don't wan't to use a URI that is based on the HTTP address. If there are any Power BI experts who are familiar with the Oauth2 handshake which is used for the "Web" connector, I would greatly appreciate some feedback.

Side note: The inflexibility of this Oauth2 handshake is pretty problematic by itself. To make matters even worse, the Microsoft AAD is now requiring resource URI's to be in a "verifiedCustomDomain". See https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#appid-uri... This gives me little hope that a local IIS Express API would work (hosted on "http://localhost"). How can we connect the Power BI "Web" connector to a local web service that is actively under development? if anyone has AAD tips, they would be appreciated as well.

dbeavon3 · ‎01-06-2022

Thanks @v-henryk-mstf
I have a workaround but it was a pain. The inflexibility of this Oauth2 handshake is the biggest problem. I'm not sure why the "Web" connector in PBI can't allow us to specifiy an arbitrary APP ID to use when generating an access token. That would be easier than placing a dependency on a URL hostname, (that places a dependency on the AAD "registered domain names", that places a dependency on DNS). What a mess.... All I want to do is connect to https://localhost ... !!!

(In order to get everything working the "right way", you would need to get help from an AAD domain admin and possibly the network team as well. A software developer shouldn't need to get this level of involvement for a simple test-service that is being created on our local machine, especially if we are just connecting to it from PBI desktop on the machine).

Basically I was able to get things working by selecting a sub-domain of one of the domains that are registered to us, then I hijacked an app registration with an existing URL-APP-ID based on that sub-domain, then I created a self-signed cert for my website based on that sub-domain and I changed my hosts file so that my local machine could impersonate the original host .

After a couple hours of muddling around, I finally got things working. But some of these steps make a developer feel pretty dirty - especially borrowing a registration, creating a self-cert and impersonating another host. I also needed to install the full IIS for development, rather than using IIS express...

View solution in original post

v-henryk-mstf · ‎01-05-2022

Hi @dbeavon3 ,

For such problems, you can refer to a similar solution.

invalid_resource AADSTS500011 - Microsoft Q&A

Solved: AADSTS500011: The resource principal named http://... - Microsoft Power BI Community

If the problem is still not resolved, please point it out. Looking forward to your feedback.

Best Regards,
Henry

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

dbeavon3 · ‎01-06-2022

Thanks @v-henryk-mstf
I have a workaround but it was a pain. The inflexibility of this Oauth2 handshake is the biggest problem. I'm not sure why the "Web" connector in PBI can't allow us to specifiy an arbitrary APP ID to use when generating an access token. That would be easier than placing a dependency on a URL hostname, (that places a dependency on the AAD "registered domain names", that places a dependency on DNS). What a mess.... All I want to do is connect to https://localhost ... !!!

(In order to get everything working the "right way", you would need to get help from an AAD domain admin and possibly the network team as well. A software developer shouldn't need to get this level of involvement for a simple test-service that is being created on our local machine, especially if we are just connecting to it from PBI desktop on the machine).

Basically I was able to get things working by selecting a sub-domain of one of the domains that are registered to us, then I hijacked an app registration with an existing URL-APP-ID based on that sub-domain, then I created a self-signed cert for my website based on that sub-domain and I changed my hosts file so that my local machine could impersonate the original host .

After a couple hours of muddling around, I finally got things working. But some of these steps make a developer feel pretty dirty - especially borrowing a registration, creating a self-cert and impersonating another host. I also needed to install the full IIS for development, rather than using IIS express...

Web Connector for Customer Web API

Helpful resources

Fabric certifications survey

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024