Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90014]

Christy — Thu, 26 Apr 2018 15:04:37 GMT

Hello All;

I have been trying for a while to get an embedded solution to work, as a proof of concept. But I am struggling with the Http requests.

This is trying to follow the "App owns data" "example".

https://docs.microsoft.com/en-us/power-bi/developer/embed-sample-for-customers

I have created a Native application. I have given it the correct permissions, I used a global admin account, and I granted permissions within Azure Portal.

The following method works fine within PostMan (ie all the correct information is given). https://community.powerbi.com/t5/Developer/How-To-Get-embed-token-using-Get-Post-only/td-p/294475

However it fails when I try to call the first request (/oauth2/token) with Javascript. All parameters are identical, I have double and triple checked them.

My code is as follows:

getAccessToken(Password): string{
    const url = "https://login.windows.net/{tenantID}/oauth2/token";
    const headers = new HttpHeaders( {
        "Content-Type": "application/x-www-form-urlencoded"
    });
    const requestBody = {
        "grant_type": "password",
        "scope": "openid",
        "resource": "https://analysis.windows.net/powerbi/api",
        "client_id": this.getClientID(),
        "username": this.getUsername(),
        "password": Password
    }
    var accessTokenRequestReponse = this.httpClient.post(url, requestBody, {headers: headers}).subscribe(
        (reponse) => {
            console.log(reponse)
            console.log(reponse['access_token'])
        },
        (error) => {console.log(error)}
    )
    return("");
}

I have tried this endpoint with variations of the url, ie

https://login.windows.net/{tenantID}/oauth2/v2.0/token
https://login.windows.net/common/oauth2/v2.0/token
https://login.windows.net/{tenantID}/oauth2/token
https://login.windows.net/common/oauth2/token
https://login.microsoftonline.com/common/oauth2/token
https://login.microsoftonline.com/{tenantID}/oauth2/token

All of these are the same, they fail in JS, yet work in postman.

Initially the error was CORs. However I spun up a website on Azure, and put a build there and the issue persisted (ie not due to localhost). I had listed all urls (http:localhost:4200/powerBI and https://mywebsite.azure.net) in the redirect section of the azure native app. I also set the allow implicit flow to true, in the manifest.

I used the following chrome extension to allows CORs requests.

https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en

I found this on one of the posts on this forum, but I currently cant re-find it.

Once this is active to allow the CORs requests, I get a 400 (Bad request) error on my request.

I get the following information in the error:

error:"invalid_request"
error_codes:[90014]
error_description:"AADSTS90014: The request body must contain the following parameter: 'grant_type'.
↵Trace ID: c4ce24c7-{...}d00
↵Correlation ID: 21a2c8d0-{...}87
↵Timestamp: 2018-04-26 {...}"

When I examine this in the Network section of chrome, I find that the call has "grant_type" in it

Request Headers:

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 260
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Origin: http://evil.com/ #Note this is from that chrome extenstion
Referer: http://localhost:4200/powerBI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Form Data:

{
  "grant_type":"password",
  "scope":"openid",
  "resource":"https://analysis.windows.net/powerbi/api",
  "client_id":"{clientID}",
  "username":"{username}@{tenant}.onmicrosoft.com",
  "password":"{password}",
  "tenant":"{tenant}.onmicrosoft.com"
}:

I believe this is meant to be the implicit flow

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant

but I cant find anything on the documentation page on this call, and the other pages all seem to revolve around redirecting the user to mircosoft login page, and then redirecting back to the application, which defeats the goal of the "App owns data" as I want to display to non powerBI users.

Apologies for the long post. And many thanks to anyone who read it/has any advice.

Kind Regards
Christy

Re: Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90

v-micsh-msft — Sun, 29 Apr 2018 01:07:26 GMT

I will do some further research on this part.

There might be some time delay before I could response with any helpful points.

Regards,

Michael

Re: Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90

Christy — Tue, 01 May 2018 10:29:24 GMT

Thank you.

Any help is greatly appreicated.

Regards
Christy

Re: Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90

nuno1977 — Tue, 10 Jul 2018 08:00:09 GMT

Hi Christy,

Did you resolve your issue ?

Because we are stuck at the same point.

Many thanks for your help.

Nuno.

topic Re: Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90 in Developer

Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90014]

Re: Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90

Re: Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90

Re: Embedded Javascript (angular4) unable to get bearer token from Http Post - Error: CORs/[AADSTS90