Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Request now

Reply
ranbeermakin
Resolver III
Resolver III

Calling Power BI Embedded token service securely from another application

‎02-09-2018 07:04 AM

Hi there,

 

I'm able to generate my Power BI embed tokens successfully. But I'm worried about it's security, let me explain my scenario.

 

I have an application hosted on app.com, and my service to get token hosted on abc.com. When user logins to app.com, I call my service (hosted on abc.com) to get token and then render my Power BI report.

 

I see one major issue here. The code to get token is in javascript in app.com. So the user can see what code i'm calling, copy the ajax request URL and say bye bye to my app.

And behind the back the user might be pinging my service URL to get tokens and rendering report without even entering my application.

 

Can we avoid this scenario?

How to ensure only authenticated users can access my service hosted on abc.com? 

How to use my app.com authentication for authenticating my service?

In the above scenario, calls to service hosted on abc.com should fail if the user is not logged in to app.com

 

In my case app.com is shopify.com.

 

Sorry to ask a basic question.

 

@Eric_Zhang?

 

Thanks,

Ranbeer 

Labels:
Message 1 of 4
1,878 Views
0
1 ACCEPTED SOLUTION
v-chuncz-msft
Community Support
Community Support

‎02-12-2018 03:18 AM

@ranbeermakin,

 

You may take a look at link below.

https://stackoverflow.com/questions/31611072/how-to-secure-the-javascript-api-access-token

Community Support Team _ Sam Zha
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 2 of 4
2,045 Views
0
3 REPLIES 3
v-chuncz-msft
Community Support
Community Support

‎02-12-2018 03:18 AM

@ranbeermakin,

 

You may take a look at link below.

https://stackoverflow.com/questions/31611072/how-to-secure-the-javascript-api-access-token

Community Support Team _ Sam Zha
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 4
2,046 Views
0
ranbeermakin
Resolver III
Resolver III
In response to v-chuncz-msft

‎02-12-2018 05:23 AM

Thanks,

CORS I have setup. I'm evaluating Proxying the request.

 

Thanks.

Message 3 of 4
1,835 Views
0
paullondon
New Member
In response to ranbeermakin

‎05-19-2019 12:23 AM

Did you ever get a solution to this that avoids putting tokens in Javascript?

Message 4 of 4
1,444 Views
0

Helpful resources

Announcements
Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All