stackoom
  简体   繁体   中英

Migrating master user to service principal for authentication on power bi embedded

 原文  2020-01-20 12:08:16       javascript/ azure-active-directory/ powerbi/ powerbi-embedded/ service-principal

Question

I'm trying to migrating my authentication method from Power BI Master User to service principal.

on master user I'm using msal with authentication flow like bellow: login to AAD --> request for AAD token --> importing pbix file with rest API using AAD token as credential

this is the code

$(document).ready(function () {
    myMSALObj.loginPopup(requestObj).then(function (loginResponse) {
        acquireTokenPopup();
    });
    Msal.UserAgentApplication
});

function acquireTokenPopup() {
    myMSALObj.acquireTokenSilent(requestObj).then(function (tokenResponse) {
        AADToken = tokenResponse.accessToken;
        importPBIX(AADToken);
    });
}

function importPBIX(accessToken) {
    xmlHttp.open("GET", "./importPBIX?accessToken=" + accessToken + "&pbixTemplate=" + pbixTemplate, true);
    //the rest of import process//
}

so there are two question: 1. what kind of flow would it be if I use service principal instead? on my head and from the info which I read from microsoft document it would be simpler like: request token using application secret key --> importing pbix file with rest API using token is this correct? 2. what kind of code that I can use to do this on javascript?I think MSAL couldn't do token request by using service principal. would appreciate any info or tutorial for this.

bests,

2 answers

solution1
 4  2020-01-21 05:40:31

  1. what kind of flow would it be if I use service principal instead? on my head and from the info which I read from microsoft document it would be simpler like: request token using application secret key --> importing pbix file with rest API using token is this correct?

According to my research, if you want to use the service principal to get Azure AD access token, you can use the client credentials grant flow在此处输入图片说明

  1. The client application authenticates to the Azure AD token issuance endpoint and requests an access token.

  2. The Azure AD token issuance endpoint issues the access token.

  3. The access token is used to authenticate to the secured resource.

  4. Data from the secured resource is returned to the client application.

Regarding how to get access token, please refer to the following steps

  1. Register Azure AD application在此处输入图片说明 在此处输入图片说明

  2. Configure API permissions在此处输入图片说明

  3. Get access token

POST https://login.microsoftonline.com/<tenant id>/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=<>
&client_secret=<>
&resource=https://analysis.windows.net/powerbi/api

2. what kind of code that I can use to do this on javascript?I think MSAL couldn't do token request by using service principal. would appreciate any info or tutorial for this.

If you want to implement client credentials grant flow with sdk, you can use adal-node . For more details, please refer to https://www.npmjs.com/package/adal-node .

For example

var AuthenticationContext = require('adal-node').AuthenticationContext;

var authorityHostUrl = 'https://login.microsoftonline.com/';
var tenant = 'myTenant.onmicrosoft.com'; // AAD Tenant name.
var authorityUrl = authorityHostUrl + '/' + tenant;
var applicationId = 'yourApplicationIdHere'; // Application Id of app registered under AAD.
var clientSecret = 'yourAADIssuedClientSecretHere'; // Secret generated for app. Read this environment variable.
var resource = ''; // URI that identifies the resource for which the token is valid.

var context = new AuthenticationContext(authorityUrl);

context.acquireTokenWithClientCredentials(resource, applicationId, clientSecret, function(err, tokenResponse) {
  if (err) {
    console.log('well that didn\'t work: ' + err.stack);
  } else {
    console.log(tokenResponse);
  }
});

solution2
 1 ACCPTED  2020-01-29 08:16:26

thanks to Jim's answer, I've tweaked my code a little bit and the token authentication process went smoothly. As my apps using javascript at front-end and python as its back-end, I decided to do the process at python and used python msal library instead. the code is just like :

authority_host_uri = 'https://login.microsoftonline.com'
tenant = 'myTenantId'
authority_uri = authority_host_uri + '/' + tenant
client_id = 'myClienId'
client_secret = 'myClientSecretKey'
config={"scope":["https://analysis.windows.net/powerbi/api/.default"]}

app = ConfidentialClientApplication(client_id, client_credential=client_secret, authority=authority_uri)
token = app.acquire_token_for_client(scopes=config['scope'])

once again thanks to Jim for helping me on this one.

bests,

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Power BI Embedded - Access Token Power BI angular1 authentication Print/Generate PDF of embedded power bi report Hide page in page bar in Power BI embedded Power BI Embedded + Javascript API Report Not Rendering Passing Dynamic Data to Power BI Embedded Uncaught ReferenceError: $ is not defined in Power BI Embedded Create Report in Embedded Power BI with GenerateTokenRequestV2 How to set default page in power BI Embedded report How to set filters in reports power BI embedded javascript
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM