Login/Register
Client-credentials don't work for powerBI REST API
Asked Answered
pythonrestauthenticationadalpowerbi
W

1

2

I'm trying to implement the daemon authentication flow. The following post request returns me an access token with the right scope:

p_url = 'https://login.microsoftonline.com/' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + '/oauth2/token'
data = { 'grant_type':'client_credentials',
         'client_id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
         'client_secret': 'L------------------------------------------=',
         'resource':'https://analysis.windows.net/powerbi/api' }
r = requests.post(url=p_url, data=data)

I receive the following response

{
  "access_token" : "ey------------"
  "expires_on" : "1454857253",
  "not_before" : "1454853353",
  "expires_in" : "3600",
  "token_type" : "Bearer",
  "scope" : "Dashboard.Read.All Data.Alter_Any Dataset.Read.All Dataset.ReadWrite.All Report.Read.All",
  "resource" : "https://analysis.windows.net/powerbi/api"
}

response = json.loads(r.text)
token = response['access_token']
headers = { 'Authorization': 'Bearer ' + token }
response = requests.get('https://api.powerbi.com/v1.0/myorg/datasets', headers=headers)

I use the endpoint from the applications "view endpoints" page. However, when I attempt to get list of "datasets" I always receive 403. What might be missing from the acquire token process?

Windmill answered 7/2, 2016 at 14:15 Comment(7)
Not sure what's happening. Could you try to register a new client app just to make sure the app is correctly configured. You can register you app here: dev.powerbi.com/apps?type=nativeEpistyle
Hi Lukasz, not only did I create a new application, I also created a new Azure AD tenant under my personal account with a trial PowerBI Pro subscription. I ended up with the same result. Matthias Leibmann states that "application permissions" must be used rather than "delegated permissions" because this is client credential flow. However Azure AD does not allow defining "application permissions" for PowerBI.Windmill
hello, did you solved this client_credentials with powerbi, please?Hargis
Also curious if anyone has solved thisSugihara
No. Unfortunately I have not received any explanation from Microsoft support teams yet (I had opened a ticket through our paid account). I opted for user based flow where I have to store user's password in cleartext.Windmill
You have to show some code. Did you include access token in a right way in rest call far datasets?Toms
Hi Andrew, the code is embarrasingly simple. I added thre rest of it.Windmill
T
-1

Your flow is a bit short. REST call for datasets seems OK, but as far as I know, you have to request the access token by authorization code, not client credentials alone.

1) Get authorization code

Depends on your flow, for website it will be received during logon process or call to /oauth2/authorize with { 'response_type':'code }

2) Get access token

With authorization code in a variable, you have to modify your request to include to authorization code, like this (grant_type and code fields are altered):

p_url = 'https://login.microsoftonline.com/' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + '/oauth2/token'
data = { 'grant_type':'authorization_code',
     'client_id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
     'client_secret': 'L------------------------------------------=',
     'code': authorizationCodeForSingedInUser,
     'resource':'https://analysis.windows.net/powerbi/api' }
r = requests.post(url=p_url, data=data)

Basically saying, you have to have a user account that accesses the Power BI resource. Your website (clientid + secret) are not authorized by itself. There must be a user involved.

What's more, afaik only "organization account" users can access power bi.

To be explicit and underline the main cause in this thread, post and comments: Power BI REST API can only be used via User with credentials with Organizational Account and be already signed in (activated) Power BI on Power BI portal. You can check if REST Api will work by checking if this user is able to use Power BI portal manually.

Toms answered 18/2, 2016 at 7:35 Comment(3)
Andrew, check out Azure AD Daemon or Server Application to Web API flow as well as Service to Service Calls Using Client CredentialsWindmill
@Windmill - Power BI is specific, afaik it doesn't allow service-to-service calls without user (account) credentials. Refer to: powerbi.microsoft.com/en-us/documentation/…Toms
I think the answer, which confirms your explanation, is in this stackoverflow thread. The first time I read it I assumed it was another flow but I believe it is the same thing. If no UI interaction is desired we have to use actual username/password for service-to-service calls.Windmill

© 2022 - 2024 — McMap. All rights reserved.