topic Re: Embedding without hard-coding master credentials (app owns data) in Developer

Embedding without hard-coding master credentials (app owns data)

MaxW — Sun, 05 Nov 2017 20:20:40 GMT

Hi,

I've got Power BI Embedded capacity and trying to follow the instructions for the ISV 'app owns data' scenario to get reports into our web app.

We've hit a bit of a roadblock as it appears there is a requirement for the master credentials to be hard coded within the application. Is this the case? It seems very insecure, there must be a way to authenticate using an access token? We are also struggling to use the samples and API's as they are all .net and our web application is Java.

from https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-embedding-content/:

"If you are embedding content for your customers, you will store the credentials for the master account within your application"

Re: Embedding without hard-coding master credentials (app owns data)

Eric_Zhang — Mon, 06 Nov 2017 08:49:02 GMT

@MaxW wrote:

Hi,

I've got Power BI Embedded capacity and trying to follow the instructions for the ISV 'app owns data' scenario to get reports into our web app.

We've hit a bit of a roadblock as it appears there is a requirement for the master credentials to be hard coded within the application. Is this the case? It seems very insecure, there must be a way to authenticate using an access token? We are also struggling to use the samples and API's as they are all .net and our web application is Java.

from https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-embedding-content/:

"If you are embedding content for your customers, you will store the credentials for the master account within your application"

@MaxW

AFAIK, yes, the master credential has to be hard coded in your application. The way Power BI authenticates is using an access token which is generated with the master credential. If you have concern about the credential security, you could apply some encrypt and decrypt functions in your application instead of hard code the credential as plain text.

In Java, instead of the SDK in .Net, you can reference the Power BI REST APIs and some other Azure AD authentication REST APIs.

eg, you could get the access token with below POST API.

POST /common/oauth2/token HTTP/1.1
Host: login.windows.net 
Content-Type: application/x-www-form-urlencoded

client_id={client id}&grant_type=password&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&username={your master account}&password={your account password}

With the access token, you can call Get Reports to get reportId&EmbedUrl and GenerateToken to get Embed token for specific reports.

As to embedding, use Power BI Javascript API. See a demo in a static HTML.

<html>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.js"></script>
<script src="powerbi.js"></script>

<script type="text/javascript">
window.onload = function () {
 // Read embed application token from Model
    var accessToken = "embed token"; 
	
    // Read embed URL from Model
    var embedUrl = "embed url";

    // Read dashboard Id from Model
    var embedReportId = "reportid";

    // Get models. models contains enums that can be used.
    var models = window['powerbi-client'].models; 
	 
    var config = {
        type: 'report',
        tokenType: models.TokenType.Embed,
        accessToken: accessToken,
        embedUrl: embedUrl,
        id: embedReportId , 
		settings: {
        filterPaneEnabled: true	
    }		 
    };

    // Get a reference to the embedded dashboard HTML element
    var dashboardContainer = $('#reportContainer')[0] ;

    // Embed the dashboard and display it within the div container.
var reports = powerbi.embed(dashboardContainer, config); 
  
</script>  
<div id="reportContainer"></div> 
</html>

Re: Embedding without hard-coding master credentials (app owns data)

MaxW — Mon, 06 Nov 2017 20:35:17 GMT

Hi Eric,

Thank you this is a very comprehensive and helpful reply. I will pass it on to our app developers and see if there is a way we can satisfy the security concerns.

Kind regards,

Max

Re: Embedding without hard-coding master credentials (app owns data)

MaxW — Mon, 20 Nov 2017 23:57:58 GMT

Hi @Eric_Zhang,

I finally got the tokens working thanks to your post, but I'm now stuck on the RLS. Maybe I'm misunderstanding how it is supposed to work?

I generate an access token using the master account, then use that token to generate an embed token with a variable username like so:

{   
    "accessLevel": "View",
    "identities": [     
        {      
            "username": "Org19",
            "roles": [ "OrganisationUser" ],
            "datasets": [ "5f5...0d5f5" ]
        }   
    ] 
}

I then have a report with the role "OrganisationUser" and the Organisation table filtered as [OrganisationIdString]=USERNAME()

In the report I have a card showing the measure that is 'User=USERNAME()'

The report runs In the javascript sample https://microsoft.github.io/PowerBI-JavaScript/demo/v2-demo/index.html

but I expect the card to show 'Org19' but instead it shows my master account username.

Am I close or doing this totally wrong?

Re: Embedding without hard-coding master credentials (app owns data)

Eric_Zhang — Tue, 21 Nov 2017 06:57:47 GMT

@MaxW

I don't have problem generating the RLS token, the username shows what it is passed in the JSON body. Please post more details how you generate the embedded token.

Measure=USERNAME()

Re: Embedding without hard-coding master credentials (app owns data)

MaxW — Tue, 21 Nov 2017 20:28:21 GMT

Hi Eric,

I'm so sorry for wasting your time here, I was generating the token using curl and think I had wrapped the JSON incorrectly so it was getting ignored. Everything seems to be working now thank you so much for your help!

Re: Embedding without hard-coding master credentials (app owns data)

Eric_Zhang — Wed, 22 Nov 2017 08:35:48 GMT

No problem.