can i generate a powerbi embed token from my application if i have 2fa turned on?
I don't see anything about this in their documentation.
Can I generate a 1 time perm. embed token without code?
you must turn off 2fa to get pbi access token via code when using master user (because it's just a background user authenticating to power bi - not the real user who logged in - and therefore there is no opportunity for interaction (prompt to enter pw from text)
give the master user very little permissions in general, since it's a little less secure way of doing things. and store credentials in azure key vault not in some config file.
can test it out here: https://learn.microsoft.com/en-us/rest/api/power-bi/embed-token/reports-generate-token-in-group#code-try-0.
parameters: reportId and groupId . Body:
{"accessLevel" : "View", "allowSaveAs" : "false", "datasetId" :"some id, but doesn't matter unless you create report", "identities":[], "lifetimeInMinutes" : 1000000000}
-- here it doesn't matter if 2fa is on or off obviously
Related
I have a React app where I'm embedding a PowerBI service report with user-owns-data (aka embed-for-organization) method with the help of powerbi-client-React library. like follow.
<PowerBIEmbed
embedConfig = {{
type: "report", // Supported types: report, dashboard, tile, visual and qna
id: "281839f6-4971-4ad3rtt",
tokenType: models.TokenType.Aad
accessToken : "938orie90rekjd-9393"
....some more properties here....
/>
where, models object is imported from powerbi-client library, and <PowerBiEmbed/> from 'powerbi-client-react (dependency).
Currently to get that 'azure ad access token' what I'm doing is-
Signing into my PowerBI account
Going to the browser console, and doing copy(powerbiaccesstoken) and I get my token.
I go into my code and paste it there.
So, now the report is embedded in my React app for at least 1 hour, because that token is only valid for one hour. Thereafter it shows a prompt for the user to sign in with their PowerBI credentials.
Now I have to sign into my PowerBI account again, copy the AAD token, and paste it into my code.
I have a dedicated PowerBI Pro account whose credentials can be used in creating access tokens.
Is there a way for me to do this without copying the token repeatedly? And some JavaScript code on either front-end or back-end do this for me before the access token really expires?
And some javascript code on either front-end or backend do this for me before the access token really expires?
Yes. This must be done from the back-end, as you can't expose the master user credentials to the client. Follow the docs here to get the access token for your master user, and create the embed token from a back-end service.
We are using PowerBi and would like to embed a report in another system.
We have set up everything so far and can display the reports with a service principal for several users.
However, we only want the users to see their own records, so we have created roles that only display a few records based on the username. This works well in the PowerBi Desktop 'view as'. But when we request the embed token from the other system, we get a 400 response code back.
I have read the following(https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls):
Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.
Can I then achieve my goal at all, that a large group of users can view a report and only see their own data? Or is that only possible if I create a separate account for each user?
My report without roles can be embedded. That works.
Then I added a role to my report. Role is Owner and DAX is [Owner__c] = USERNAME()
And adjusted the body of the API from:
{
"accessLevel": "View",
"datasetId": "8d72284e-f104-4213-9376-606397b2f838"
}
to
{
"accessLevel": "View",
"allowSaveAs": "false",
"identities": [{
"username": "0015p00005ZSE7wAAH",
"reports": ["7fa1badb-ccb3-45b8-84cb-15e5b2018efa"],
"roles": ["Owner"],
"datasets": ["8d72284e-f104-4213-9376-606397b2f838"]
}]
}
This is a my datatable
Did I miss a point?
Do I need to add someone(who?) to this the role under dataset security?
Why is USERPRINCIPALNAME() or USERNAME() not the id, which I defined in the request body?
As soon as I add a role to my report(Dax:[Owner__c] = TRUE) or ([Owner__c] = USERNAME() or even hardcoded [Owner__c]='0015p00005ZSE7wAAH') I get a status code 400
The Service Prinicpal is not the "effective identity". The Service Principal generates the embed token, and the embed token specifies the effective identity of the user, which can be an arbitrary string that you use in your RLS filters.
With Row Level Security (RLS), you can choose to use a different
identity than the identity of the service principal or master user
you're generating the token with. Using this option, you can display
embedded information according to the user you're targeting. For
example, in your application you can ask users to sign in, and then
display a report that only contains sales information if the signed in
user is a sales employee.
Generate Embed Token - Row Level Security
See also
Row-level security with Power BI Embedded
After adding the Content-Type => application/json it worked.
We are developing a web application in AWS which stores its users in Cognito. As part of this, we are required to have an integration with an existing desktop application, where the administrator of a client can create a read-only user for the website for data sent from the desktop app.
Because of this read-only user requirement, there has to be a user associated with the authentication for each instance of the desktop app installation. This is no problem, as we are happy that all local users of the desktop application have their data logged to the same place in the web application. The tricky part is that we are not able to have the username and password as common knowledge for the end-users of the desktop app.
It has been suggested that we could use token-based access to allow the desktop app to access our API, but these are all time limited and we would not be able to have the user re-authenticate each day. However, another suggestion is to create our own "key" which contains the username and password of the Cognito user in such a way that the application will be able to use it, such as encrypting the username and password with the decryption key available to the desktop app so that it can authenticate as that user itself without the end users having access to the account details.
I would like to know if there is currently any best practice way of handling a requirement like this that is better than what we currently have available.
To summarise:
We have an AWS API with Cognito Authentication
We have a desktop application which needs to access the API
We cannot have users know the details of the account being used to access the API
We need a way to provide a key that will allow the desktop application to authenticate itself against the API in such a way that the token will not need to be refreshed over time
Thanks for any help.
Unfortunately this requirement:
"We need a way to provide a key that will allow the desktop application to authenticate itself against the API in such a way that the token will not need to be refreshed over time"
is not going to be possible with Cognito. Assuming you are using Cognito user pools, the id and access tokens obtained on authentication are only valid for 1 hour, then they have to be refreshed using the refresh token. The refresh token can be configured to be valid for a really long time (years even) so you could setup a flow where:
The app authenticates itself against Cognito once
Gets a refresh token that is valid for a really long time
Throws away the original encrypted username/password
Uses the refresh token to get a new id/access token every hour
You would have to store the refresh token on the client somewhere though. And probably have a support mechanism where this process could be restarted on the client in case the refresh token is lost.
If you are using Cognito user pools, you are going to have to do token refreshes. Same is true if you are using Cognito identity pools - the AWS credentials provided by the identity pool are only valid for 1 hour, then they have to be refreshed.
I need to access Facebook API to retrieve ads stats. All my requests will be handled on server side. I already know how to access those data by obtaining User Access Token with ads_read permission, where user has admin role in the ad account.
My application will use cron jobs to retrieve ads stats, so I would like to use App Access Token instead, because user won't need to authenticate with the dialog, right? I assigned application to the business, but it doesn't seem to work. After trying to get ads stats with App Access Token, I'm getting following error:
{
"error": {
"message": "The entity backed by id 1234567890123 cannot be seen
by the viewer with (ViewerID 0, AccountID 0):
DENY_RULE:InlinePrivacyPolicy:AlwaysDenyRule:4
(EntID: 1234567890123)",
"type": "OAuthException",
"code": 1
}
}
The application is assigned to the business, but I'm not sure if it's enough. I don't see any option to assign it to the ads account.
Am I doing it right or maybe there's another way to skip dialog part?
No, you need to use a user access token from a user who manages the ad account.
App access tokens are only useful for a narrow range of use cases, primarily for updating app settings or proving a call came from the app specifically, rather than an arbitrary user of the app
My app got white-listed for using the Ads API.
I was wondering in regarding to the authentication flow.
Say, that I need to retrieve and execute actions via the API on daily tasks ( with no user interaction) , I find the authentication process quite cumbersome.
Is there a way to work with my app access token instead of a user access token?
I want to be able to approve my app only once for each user and then to be able to work with no user interaction.
Can I achieve this?
App access token is not relevant for this case.
I had to work with the user access token.
I followed this doc: https://developers.facebook.com/docs/reference/ads-api/
Eventually , one should use some client side code in order to get a user permissions and then make another request for getting the user token.
So you'll have to call
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=ads_management,offline_access&response_type=code
Get the authentication code and make another call:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=AUTHORIZATION_CODE
Then you'll get an access token which is valid only for two months, in opposed to what Facebook docs says in here:
https://developers.facebook.com/roadmap/offline-access-removal/
"Ads APIs are special cased to allow collection of statistics offline. PMD partners should use server-side OAuth flow in order to receive a non-expiring token rather than a token that has longer expiration time."
Too bad that the access token is not really valid forever...
According to "Exception 4" in this document , if you have Ads API access you should be able to get a non-expiring token if you use the correct workflow. Following the guidelines outlined here, if you use the server side OAuth flow, to make the following request you should get a non-expiring token:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
thx for the feedback regarding the Access token process being cumbersome. Because this is a one to many solution - a single App ID can manage multiple ad accounts, on behalf of multiple people - we need to make calls on behalf of people.
You should be able to get a persistent access token for Ads API. If you are not getting it, please provide exact steps you are following so we can see if there is a bug or you might be missing a step.
Thx.