topic Re: PowerBIClient Forbidden issue in Developer

PowerBIClient Forbidden issue

emotix — Tue, 05 Sep 2017 19:15:42 GMT

Hi all,

We're investigating the user of Power BI embedded for our SaaS app. In our scenario, we own the data and our end users would be utilizing the reports as non-power-bi users.

I've been struggling for a few days now to craft a working sample. Some samples I've found are no longer working or are for the old power bi azure implementation that's led to dead ends; however, I've gotten to the point where I'm very close to simply embedding a report in our Power BI setup.

Below is a simple console app I've come up with, many parts are from various documentation articles. The token is obtained fine, but when the request is submitted, I recieve HttpOperationException: Operation returned an invalid status code 'Forbidden'

private static string clientId = "----";
private static string secretKey = "----";
private static string groupId = "----";

        static void Main(string[] args)
        {
            string resourceUri = "https://analysis.windows.net/powerbi/api";

            string authorityUri = "https://login.windows.net/common/oauth2/authorize";

            ClientCredential credential = new ClientCredential(clientId, secretKey);
            AuthenticationContext authContext = new AuthenticationContext(authorityUri);

            string token = authContext.AcquireTokenAsync(resourceUri, credential).Result.AccessToken;

            var tokenCredentials = new TokenCredentials(token, "Bearer");

            using (var client = new PowerBIClient(new Uri("https://api.powerbi.com/"), tokenCredentials))
            {
                var reports = client.Reports.GetReportsInGroupWithHttpMessagesAsync(groupId);

                var faulted = reports.IsFaulted;

                // Here's where the exception is thrown
                var report = reports.Result.Body.Value;
            }
        }

Any ideas why?

Here's what we've validated/tried:

The AD User we've created the app under is not the global admin as recommended.
The user is a power bi pro user (trial).
The required permissions (Windows Azure Active Directory/Power BI Service) have been granted (we've checked off all to ensure we're not missing anything).
We've validated/confirmed the client ID, secret key and group id many times.
The Power BI workspace is private, but we've tried making a public one to be sure it doesn't matter.

Thank you in advance!

Re: PowerBIClient Forbidden issue

emotix — Thu, 07 Sep 2017 18:20:04 GMT

Small update:

The token we obtain is correct. We've confirmed the token used at powerbi.com matches the token we obtain for use in the API example above while observing the requests.

Fiddler isn't of much help with the sample app from the first post, the raw request output is below:

HTTP/1.1 403 Forbidden
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: deny
X-Content-Type-Options: nosniff
RequestId: 1bcbd00c-e552-46f6-9d8e-81acd7534710
Date: Thu, 07 Sep 2017 18:18:39 GMT

Any help is much appreciated.

Re: PowerBIClient Forbidden issue

noyesrichey — Wed, 11 Oct 2017 19:40:57 GMT

Did you ever find a resolution for this? I am encountering the same issue. Please let me know.

Re: PowerBIClient Forbidden issue

noyesrichey — Wed, 11 Oct 2017 19:43:01 GMT

Did you ever find a resolution for this? I am encountering the same issue. Please let me know.

Re: PowerBIClient Forbidden issue

jamesyoung — Thu, 12 Oct 2017 00:16:40 GMT

You are mixing the directions for user versus app authentication. If you plan on the users not having accounts you don't need to pass in or use a clientID and SecretKey. Here is a code example. You will just need a username, password and clientID to login. If you want to opena report and/or dashboard you also need a workspace guid. Let me know if you have any questions.

     var credential = new UserPasswordCredential(Username, Password);

            // Authenticate using created credentials
            var authenticationContext = new AuthenticationContext(AuthorityUrl);
            var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);

            if (authenticationResult == null)
            {
                return View(new EmbedConfig()
                {
                    ErrorMessage = "Authentication Failed."
                });
            }

            var tokenCredentials = new TokenCredentials(authenticationResult.AccessToken, "Bearer");

            // Create a Power BI Client object. It will be used to call Power BI APIs.
            using (var client = new PowerBIClient(new Uri(ApiUrl), tokenCredentials))
            {
                // Get a list of reports.
                var reports = await client.Reports.GetReportsInGroupAsync(GroupId);

                // Get the first report in the group.
                var report = reports.Value.FirstOrDefault();

Re: PowerBIClient Forbidden issue

Junilo — Mon, 13 Nov 2017 04:04:27 GMT

@jamesyoung I tried your snippet below and getting this exception:

AdalException: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\r\nTrace ID: 030b56e4-a488-406d-becc-742e836c1800\r\nCorrelation ID: fb6c997d-5324-4255-ab36-53743bd29c95\r\nTimestamp: 2017-11-13 03:59:19Z","error_codes":[70002],"timestamp":"2017-11-13 03:59:19Z","trace_id":"030b56e4-a488-406d-becc-742e836c1800","correlation_id":"fb6c997d-5324-4255-ab36-53743bd29c95"}: Unknown error

Here's what I tried:

static async void GetEmbedToken()
        {

// took out actual values for these

var aadUserEmail="";
var aadPassword = "";
var groupId = "";
var clientId = "";

            var credential = new UserPasswordCredential(aadUserEmail, aadPassword);

            // Authenticate using created credentials
            var authenticationContext = new AuthenticationContext("https://login.windows.net/common/oauth2/authorize/");
            var authenticationResult = await authenticationContext.AcquireTokenAsync("https://analysis.windows.net/powerbi/api", clientId, credential);

            if (authenticationResult != null)
            {
                var tokenCredentials = new TokenCredentials(authenticationResult.AccessToken, "Bearer");

                // Create a Power BI Client object. It will be used to call Power BI APIs.
                using (var client = new PowerBIClient(new Uri("https://api.powerbi.com/"), tokenCredentials))
                {
                    // Get a list of reports.

                    var reports = await client.Reports.GetReportsInGroupAsync(groupId);

                    // Get the first report in the group.
                    var report = reports.Value.FirstOrDefault();
                }
            }
        }

Re: PowerBIClient Forbidden issue

jamesyoung — Mon, 13 Nov 2017 05:10:40 GMT

@Junilo

Are you trying to use the App method or the User method to login? The user method just reuqires you have an account in Power BI and only allows users with Power BI accounts to access the report/dashboard. The APP login method allows you to share your reports/dashboards with users who do not have a Power BI account but requires setup in Azure.

Jim

Re: PowerBIClient Forbidden issue

Junilo — Mon, 13 Nov 2017 05:28:10 GMT

@Jim, I am taking the App Owns Data approach. I have setup app in Azure AD and set permissions. I have created an app workdpace with 1 Power BI Pro user. I already have groupId and a dashboardId. Stuck on that 'Forbidden' exception when trying to generate Embed Token. My Azure AD app is a web-app one. I have read somewhere I need to setup native one?

Re: PowerBIClient Forbidden issue

jamesyoung — Mon, 13 Nov 2017 05:47:58 GMT

@Junilo

It's probably a client ID issue. What line of code is it failing?

Re: PowerBIClient Forbidden issue

Yaostha — Mon, 13 Nov 2017 06:58:44 GMT

Hi,

Even i am facing the same issue.

My setup is similar to @Junilo's setup.

I have registered my Web App in Azure and noted the ClientID and Client Secret.

I am not passing any user name and password so we are not using User Login authentication.

I have pro license trial in powerBI and I have access to many dashboards.

When we do App authentication, the app must have access to Dashboard or Workspace?

Regards,

Yasotha

Re: PowerBIClient Forbidden issue

Junilo — Mon, 13 Nov 2017 07:25:20 GMT

From my first post, it is failing at AcquireTokenAsync where it says:

AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'

Re: PowerBIClient Forbidden issue

Yaostha — Mon, 13 Nov 2017 11:21:44 GMT

Same for me if I try to run the App Owns Data sample

Re: PowerBIClient Forbidden issue

Junilo — Mon, 13 Nov 2017 11:26:37 GMT

@Yaostha and everyone having same issue, I have fixed mine. The key is to register the Azure AD app as a "Native" app, not "Server-side..."

See my post here: http://community.powerbi.com/t5/Developer/Obtain-Access-Token-C-App-Owns-Data-Error/m-p/301881#M8884

Re: PowerBIClient Forbidden issue

paulsincai — Mon, 28 Jan 2019 15:13:25 GMT

Everything works fine when authenticating using user + pass but when I'm trying the auth using client secret I get the "unauthorized" message. Hints?

Thx,

Paul