使用“嵌入客户方法”将 PowerBI 报告集成到使用 OKTA 进行身份验证的角度应用程序
[英]Integrate PowerBI report using 'embed for customer approach' to angular application which use OKTA to authenticate
问题描述
In one of our project we need to embed Power BI reports in our client facing app, where the authentication (to application) is done by Okta.
在我们的一个项目中,我们需要在面向客户端的应用程序中嵌入 Power BI 报告,其中身份验证(对应用程序)由 Okta 完成。 The application is developed using angular and is hosted in AWS as static website.该应用程序是使用 Angular 开发的,并作为静态网站托管在 AWS 中。 The Power BI authentication should happen through a service account and user should not be asked to login to view PowerBI report. Power BI 身份验证应通过服务帐户进行,不应要求用户登录以查看 PowerBI 报告。 We want to follow the 'app owns data' approach here.我们想在这里遵循“应用拥有数据”的方法。
So far it's good, the problem now is our system architecture does not contain any services.到目前为止还不错,现在的问题是我们的系统架构不包含任何服务。 So we need to authenticate and embed powerBI from client-side itself.因此,我们需要从客户端本身进行身份验证和嵌入 powerBI。 We tried to get the access token using the endpoint我们尝试使用端点获取访问令牌
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
This works from Postman however it throws CORS error while accessing from SPA.这适用于 Postman,但是在从 SPA 访问时会引发 CORS 错误。
The next thing we tried was using msal-angular package to get access-token.我们尝试的下一件事是使用 msal-angular 包来获取访问令牌。 But we couldn't find a way to get token for the 'client_credentials' work flow using the msal package (without user interaction).但是我们找不到使用 msal 包(无需用户交互)获取“client_credentials”工作流的令牌的方法。
Are we missing something here or is there any other way to get the access-token from client-side without any API?我们是否在这里遗漏了什么,或者有没有其他方法可以在没有任何 API 的情况下从客户端获取访问令牌?
Thanks in advace!!提前谢谢!!
1 个解决方案
解决方案1
1 已采纳 2022-07-14 17:54:29
Yeah, nope.是的,不。 You must have a back-end service for app-owns-data embedding.您必须具有用于应用程序拥有数据嵌入的后端服务。 You have to authenticate to PowerBI to generate the Embed Token, and it's deeply insecure to send either the AAD Service Principal credentials (ClientID/ClientSecret) or AAD Master User credentials (UserName/Password) to the client's browser.您必须对 PowerBI 进行身份验证才能生成嵌入令牌,并且将 AAD 服务主体凭据 (ClientID/ClientSecret) 或 AAD 主用户凭据 (UserName/Password) 发送到客户端的浏览器非常不安全。 That's why msal-angular doesn't support client credentials flow.这就是 msal-angular 不支持客户端凭据流的原因。
The back-end service could be an Azure Function or AWS Lambda.后端服务可以是 Azure Function 或 AWS Lambda。 It should be secured by your application authentication scheme, and have access to the credentials to complete the client credentials flow.它应该受到您的应用程序身份验证方案的保护,并且可以访问凭据以完成客户端凭据流。 After it uses the client credentials to obtain a Power BI Access Token, it calls the Power BI Embedding API to generate an Embed Token, and returns that to the client for embedding.在使用客户端凭据获取 Power BI 访问令牌后,它会调用 Power BI 嵌入 API 以生成嵌入令牌,并将其返回给客户端进行嵌入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.