Can't get client-credentials access token to authorize Power BI

Asked 1/9, 2015 at 22:30 Answered 6/10, 2015 at 22:9

I'm trying to use the Power BI REST API, using an access token acquired with the "client credentials" method, but I keep getting 403 Forbidden on my requests.

My code follows the pattern demonstrated in this AzureAD sample. In fact, to isolate this problem, I'm running that sample code (with my own values in the parameters.json, of course):

{ 
  expiresIn: 3599,
  tokenType: 'Bearer',
  expiresOn: Tue Sep 01 2015 16:56:07 GMT-0500 (CDT),
  resource: '00000002-0000-0000-c000-000000000000',
  accessToken: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xM2QxNzIwNC0wZGU2LTQ1NzQtOTgzYS05NjFhYjk0M2M3Y2UvIiwiaWF0IjoxNDQxMTQwNjcwLCJuYmYiOjE0NDExNDA2NzAsImV4cCI6MTQ0MTE0NDU3MCwidmVyIjoiMS4wIiwidGlkIjoiMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlIiwib2lkIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwic3ViIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlLyIsImFwcGlkIjoiNDQ2Y2Y5OTItMDQzYS00YjgxLWJhYzQtY2RlZWYyNGFhNzFjIiwiYXBwaWRhY3IiOiIxIn0.YTGJfdW1wP09bDHwwsv3FPAmEpmQdc_kifvgY-1KjhkZWANfYtd050wfeZdNgMUeSPZyFdWnoBjnJ4xrlDtnsADwV1Grr6TXYcymPLofbY-xy0cjyvzxTmM11DJ9XN8A4tkgvK0jtR-YyIjPw5EKJSKyeEbD9U3mWsE_gu7IzKzXl8e-dfVAqRYS6WHZy6_0FaNmppPDls5s_QIPOHofFSiWVISw41Mz0fQnP2QEGyceOCvKYJtrUOCDwfVuwFS-gSLmYvEGOJfmIjftP3srda0JPirVzBeU0IFJJ1KW81kE5cfKw1KkBB04VVetRUs_7HqloYaKKiTybauhXAodRQ',
  isMRRT: true,
  _clientId: '[snip]',
  _authority: 'https://login.windows.net/[snip]' 
}

When I use that access token in a curl request, as follows, I get a 403:

curl -vv -X GET https://api.powerbi.com/v1.0/myorg/datasets -H"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xM2QxNzIwNC0wZGU2LTQ1NzQtOTgzYS05NjFhYjk0M2M3Y2UvIiwiaWF0IjoxNDQxMTQwNjcwLCJuYmYiOjE0NDExNDA2NzAsImV4cCI6MTQ0MTE0NDU3MCwidmVyIjoiMS4wIiwidGlkIjoiMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlIiwib2lkIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwic3ViIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlLyIsImFwcGlkIjoiNDQ2Y2Y5OTItMDQzYS00YjgxLWJhYzQtY2RlZWYyNGFhNzFjIiwiYXBwaWRhY3IiOiIxIn0.YTGJfdW1wP09bDHwwsv3FPAmEpmQdc_kifvgY-1KjhkZWANfYtd050wfeZdNgMUeSPZyFdWnoBjnJ4xrlDtnsADwV1Grr6TXYcymPLofbY-xy0cjyvzxTmM11DJ9XN8A4tkgvK0jtR-YyIjPw5EKJSKyeEbD9U3mWsE_gu7IzKzXl8e-dfVAqRYS6WHZy6_0FaNmppPDls5s_QIPOHofFSiWVISw41Mz0fQnP2QEGyceOCvKYJtrUOCDwfVuwFS-gSLmYvEGOJfmIjftP3srda0JPirVzBeU0IFJJ1KW81kE5cfKw1KkBB04VVetRUs_7HqloYaKKiTybauhXAodRQ"

Wondering if that curl request was flawed somehow, I snooped out an access token “the wrong way” via browser webtools, and the above works fine, returning a 200 and a JSON response listing my datasets.

I did also notice that the return code is 403 (forbidden), not 401 (unauthorized), so I wondered if the authorization was okay but the permissions on the Power BI side were wrong. But I also get 403 when I use any garbage text for the access token (e.g., Authorization: Bearer foo), so I discarded that theory.

So. I think I have a valid test, and I’m getting what I think is a valid access token (from that client-credentials-sample.js code), but it’s still not working. What am I missing?

Bazluke answered 1/9, 2015 at 22:30 Comment(2)

Send me your code and I'll debug it for you bit.ly/emailjon. I'm on the power bi team. – Jeth 4/10, 2015 at 22:51

This is ridiculous. It's the most hassle to use a REST Api I've ever seen. Normally its a couple clicks to get a key or token and within minutes you can get results via postman. Why can't the PBI team put up a simple web page to automate enabling the api and generate sample calls based on real account credentials like so many others do? – Molybdenous 25/3, 2017 at 21:31

With the assistance of some Microsoft folks (thanks, Jon Gallant & Josh Caplan), I've learned that authenticating with an OAuth client-credentials flow, as I was doing with that JavaScript sample, provides insufficient access. To use Power BI, authentication needs to be based on a particular user.

I tried using:

the similar JavaScript sample username-password-sample.js
a resource value of https://analysis.windows.net/powerbi/api (thanks, slugslog)
adding username and password to the parameters.json

That got me closer, but I was still getting a 400 response: "error_description":"AADSTS90014: The request body must contain the following parameter: 'client_secret or client_assertion'. …".

A hack to the adal-node library (hardcoding the client secret, i.e., oauthParameters[OAuth2Parameters.CLIENT_SECRET] = "my-client-secret"; after line 217 of token-request.js) was enough to get back an access token which works in the Authorization header for my original curl call.

Of course hardcoding that value in there isn't my final solution. I don't plan to use the adal-node library, anyway. But as far as this proof-of-concept for this authentication case goes, that's the answer I came to.

Bazluke answered 6/10, 2015 at 22:9 Comment(3)

@Bazluke Did you ever get another solution for this? I mean, is there another library that gives out the correct access token? – Amil 18/1, 2017 at 6:31

@VishwasShashidhar No, I never did. We wound up coding our own methods to get and use the access tokens. – Bazluke 20/1, 2017 at 1:15

@Bazluke Well, that's a shame! But, thanks anyway! Looks like I'll have to clone the repo and modify code. – Amil 20/1, 2017 at 6:21

Make sure that your app that you registered with AAD has the read write all datasets permission. That should solve the problem.

Anson answered 2/9, 2015 at 3:8 Comment(4)

Looking in Azure Active Directory, on the "Configure" tab for this "Application", under "permissions to other applications" there is "Power BI Service". It shows "Application Permissions: 0" (that arrow doesn't pop anything up to change), and "Delegated Permissions: 7" (that dropdown shows all boxes checked, including "Read and Write all Datasets (preview)"). That's what was already set before the above tests; I haven't changed anything yet. Am I looking in the right place? – Bazluke 2/9, 2015 at 15:30

I have cracked open the token that you had in the example above. I don't see those permissions in it. The first thing to check is that you are using the same app ID as the one that you were checking in AAD. If so, is this a web app or a native app? – Anson 3/9, 2015 at 0:41

Hmm, I'm not sure what "app ID" is? Where do I find that in Azure and/or set it on the client side? I did match my lookup on the clientId, that's the same. And this is a web app. At least, it's trying to be. :-) – Bazluke 3/9, 2015 at 11:54

Yep. Client ID is the same. Please try this: go to portal.office.com/myapps. Find you app and remove it. Then try running your app again. It should ask you to consent again. – Anson 3/9, 2015 at 15:42

This is not an answer but one step forward in the debug process. I think the resource for which the token is requested should be "https://analysis.windows.net/powerbi/api". I've seen these in multiple references; one of them is linked below. Even after changing this, I still get a 403. As the OP mentioned if we use the accessToken from the powerBI portal, everything works.

Halo answered 30/9, 2015 at 10:45 Comment(2)

I get "server not found" when I try to access analysis.windows.net in any way. Also not clear on where you're suggesting that URL would be used. As the "authority host URL" (as here? Or as the target for the actual BI request (as in my original curl example)? – Bazluke 1/10, 2015 at 16:18

that should be the value of the "resource" property that you are requesting the token for. Here's a nodejs sample I'm working with. This is in place of the value '00000009-0000-0000-c000-000000000000' that you are currently using. – Halo 2/10, 2015 at 11:3

So I tried this with my own app, the following command works (for me):

curl -vv -X GET https://api.powerbi.com/v1.0/myorg/datasets -H"Authorization: Bearer ey....qqqq"

BTW, the extra "v" after -v seems redundant.

So what I can conclude is that your application is missing the required permissions to call Power BI's APIs.

One thing you might try is grab one of our samples, create a new application in AAD for it, and then see if the authorization token works for it. Here's a good one to try: https://github.com/PowerBI/Integrate-a-tile-into-an-app

Yclept answered 2/10, 2015 at 13:58 Comment(1)

Yep, you're right about my -vv. Somewhere along the line I thought curl was one of those commands that increases verbosity with more vs, but nope. – Bazluke 6/10, 2015 at 22:20

Recommended topics

Hot tags