https://community.fabric.microsoft.com/t5/Developer/Power-BI-Rest-API-and-HTTPS/m-p/291744#M8575 <P>Hi,</P><P>I'm not very familar with network security stuff like https and certificates and how the content of a request will be encrypted.<BR />Following scenario:<BR />I would like to use the Power BI REST API in my Windows App to show some "filtered" reports. The Windows App applies the "right" filter regarding the user whitch is currently logged in.<BR />I have to make sure that there is no way to capture the access token I'm using with the API calls. I think about "man in the middle attacts" or something like this.</P><P>Can anybody confirm that the access token can not be captured?<BR />Is this possibly dependend on the client sdk I'm using? (Javascript, C#, ..)</P><P>Thanks in advance,<BR />Marco</P> Fri, 27 Oct 2017 16:08:03 GMT mwotruba 2017-10-27T16:08:03Z https://community.fabric.microsoft.com/t5/Developer/Power-BI-Rest-API-and-HTTPS/m-p/291744#M8575 <P>Hi,</P><P>I'm not very familar with network security stuff like https and certificates and how the content of a request will be encrypted.<BR />Following scenario:<BR />I would like to use the Power BI REST API in my Windows App to show some "filtered" reports. The Windows App applies the "right" filter regarding the user whitch is currently logged in.<BR />I have to make sure that there is no way to capture the access token I'm using with the API calls. I think about "man in the middle attacts" or something like this.</P><P>Can anybody confirm that the access token can not be captured?<BR />Is this possibly dependend on the client sdk I'm using? (Javascript, C#, ..)</P><P>Thanks in advance,<BR />Marco</P> Fri, 27 Oct 2017 16:08:03 GMT https://community.fabric.microsoft.com/t5/Developer/Power-BI-Rest-API-and-HTTPS/m-p/291744#M8575 mwotruba 2017-10-27T16:08:03Z https://community.fabric.microsoft.com/t5/Developer/Power-BI-Rest-API-and-HTTPS/m-p/292345#M8589 <BLOCKQUOTE><HR /><a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/24526">@mwotruba</a> wrote:<BR /> <P>Hi,</P> <P>I'm not very familar with network security stuff like https and certificates and how the content of a request will be encrypted.<BR />Following scenario:<BR />I would like to use the Power BI REST API in my Windows App to show some "filtered" reports. The Windows App applies the "right" filter regarding the user whitch is currently logged in.<BR />I have to make sure that there is no way to capture the access token I'm using with the API calls. I think about "man in the middle attacts" or something like this.</P> <P>Can anybody confirm that the access token can not be captured?<BR />Is this possibly dependend on the client sdk I'm using? (Javascript, C#, ..)</P> <P>Thanks in advance,<BR />Marco</P> <HR /></BLOCKQUOTE> <P><a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/24526">@mwotruba</a></P> <P>I'm not an expert on network, however it seems that the <A href="https://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server" target="_self">HTTPS already can prevent man in the middle attacks</A>. There was risk because Power BI used to use the accesstoken for embedding service and the accesstoken was a plaintext in the embedding web page. Now <A href="https://msdn.microsoft.com/en-us/library/mt784614.aspx" target="_self">Embedded token</A> has been applied, which is limited to specific report/dashboard with view/edit permissions. The risk has been reduced to the minimum in my opinion.</P> Mon, 30 Oct 2017 07:04:23 GMT https://community.fabric.microsoft.com/t5/Developer/Power-BI-Rest-API-and-HTTPS/m-p/292345#M8589 Eric_Zhang 2017-10-30T07:04:23Z