https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541098#M16758 <P>You will not be able to hide those elements because they muist be sent to the browser. The access token and embed url must be sent to the browser because of the core architecture of Power BI embedding which loads Power BI embedded resources&nbsp;using&nbsp;an iFrame.&nbsp; This is something that cannot be done using server-side code.&nbsp;</P><P>&nbsp;</P><P>If you are using third-party embedding (app-owns-data), then you should not be sending Azure AD access tokens back to the browser. Instead, you generate embed tokens using the Power BI Service which are far ore constrained because any embed token only works with a single&nbsp;report or dashboard. Compare that to an Azure AD access token which gives a potential&nbsp;attacker&nbsp;a much broader set permissions across the Power BI environment.</P> Fri, 12 Oct 2018 17:36:36 GMT TedPattison 2018-10-12T17:36:36Z https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/539974#M16713 <P>I am using PowerBI Embeded application and it is working fine. I am using Power BI JavaScript library to embed Power BI content. But this eposes security concern as accessToken ,&nbsp;<SPAN>embedUrl ,&nbsp;embedReportId are exposed.&nbsp; Is their any way i can bypass / secure this content&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks in advance.</SPAN></P> Thu, 11 Oct 2018 14:23:32 GMT https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/539974#M16713 sureshrm 2018-10-11T14:23:32Z https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/539761#M16714 <P>Hi All,</P><P>&nbsp;</P><P>I am working on an Application to embed PowerBI reports using App only data. The soultion is working fine and able to render the report. Now the problem is if i select View Source poperty then i can see powerbi javascript code whch exposes some of the key values like&nbsp;embedUrl,&nbsp;embedReportId and&nbsp;accessToken. This is a security risk . How can i pervent this ? Any help would be deeply appriciated.</P> Thu, 11 Oct 2018 11:25:55 GMT https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/539761#M16714 sureshrm 2018-10-11T11:25:55Z https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541098#M16758 <P>You will not be able to hide those elements because they muist be sent to the browser. The access token and embed url must be sent to the browser because of the core architecture of Power BI embedding which loads Power BI embedded resources&nbsp;using&nbsp;an iFrame.&nbsp; This is something that cannot be done using server-side code.&nbsp;</P><P>&nbsp;</P><P>If you are using third-party embedding (app-owns-data), then you should not be sending Azure AD access tokens back to the browser. Instead, you generate embed tokens using the Power BI Service which are far ore constrained because any embed token only works with a single&nbsp;report or dashboard. Compare that to an Azure AD access token which gives a potential&nbsp;attacker&nbsp;a much broader set permissions across the Power BI environment.</P> Fri, 12 Oct 2018 17:36:36 GMT https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541098#M16758 TedPattison 2018-10-12T17:36:36Z https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541435#M16796 <P>Thanks for the suggestions.&nbsp;</P><P>&nbsp;</P><P>Just to make sure i define my requirement correct [ My requirement&nbsp;is app own data]</P><P>1) Used the sample MVC app provided by Microsoft .&nbsp;</P><P>2) Customized to my requirement . Kept embed token generation logic and removed rest all</P><P>3) Use all the scripts&nbsp;provided&nbsp;inside sample application.</P><P>&nbsp;</P><P>On&nbsp;execution of&nbsp;application i am getting report embed&nbsp;with view source is showing values of&nbsp;</P><P>1) ReportID</P><P>2) AccessToken [ Actually it is embed token . In script the variable name is access token]</P><P>3) EmbedURL&nbsp;</P><P>&nbsp;</P><P>If&nbsp;&nbsp;i get your suggestions&nbsp;correctly then&nbsp;</P><P>1) These values are must for browser and they are part of&nbsp;PowerBI Embed architecture</P><P>2)&nbsp;The exposed values combination [ReprotID , AccessToken, EmbedURL] are for one specific report . So if i change the values of ReportID or&nbsp;EmbedURL then&nbsp;it&nbsp; wont wok .</P><P>3)&nbsp;Is it possible to set the life time of embedURL to 'N' minutes&nbsp;? So that user will be forced to use new token.&nbsp;</P><P>&nbsp;</P><P>Also you had suggested&nbsp;to generate&nbsp;<SPAN>generate embed tokens using the Power BI Service&nbsp;. I am not sure what you meant by this . In my application&nbsp;i am using PowerBI REST API. If i am missing any then can you help me with some pointer / link&nbsp;</SPAN></P><P>&nbsp;</P><P>Thanks a lot once again.</P> Sat, 13 Oct 2018 17:50:00 GMT https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541435#M16796 sureshrm 2018-10-13T17:50:00Z https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541441#M16797 <P>First of all, we are talking about the same thing using different names. The "thing" is the API endpoint at&nbsp;<A href="https://api.powerbi.com/v1.0/" target="_blank">https://api.powerbi.com/v1.0/</A>. Here are the different names people use for this</P><OL><LI>Power BI REST API</LI><LI>Power BI API</LI><LI>Power BI Service API (the one I like)</LI></OL><P>&nbsp;</P><P>Just to confirm&nbsp;these values are must for browser and they are part of&nbsp;PowerBI Embed architecture</P><P>YES</P><P>&nbsp;</P><P>The exposed values combination [ReprotID , AccessToken, EmbedURL] are for one specific report . So if i change the values of ReportID or&nbsp;EmbedURL then&nbsp;it&nbsp; wont wok .</P><P>YES, as long as they are embed tokens and not Azure AD access tokens.</P><P>&nbsp;</P><P>Is it possible to set the life time of embedURL to 'N' minutes&nbsp;? So that user will be forced to use new token.&nbsp;</P><P>NO, the embedUrl points to a resource. It's the embed token that provides access to the resource. The Power BI&nbsp;embed token lifetime is about 60 minutes but I do not think that is something you could change.&nbsp;</P> Sat, 13 Oct 2018 19:09:19 GMT https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541441#M16797 TedPattison 2018-10-13T19:09:19Z https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541445#M16798 <P>Hi Ted</P><P>&nbsp;</P><P>Thanks for the swift reply.&nbsp;</P><P>&nbsp;</P><P>THanks,</P><P>Suresh RM&nbsp;</P> Sat, 13 Oct 2018 19:36:21 GMT https://community.fabric.microsoft.com/t5/Developer/How-to-bypass-Power-BI-JavaScript-Library-to-embed-Power-BI/m-p/541445#M16798 sureshrm 2018-10-13T19:36:21Z