Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
ranbeermakin
Resolver III
Resolver III

Calling Power BI Embedded token service securely from another application

‎02-09-2018 07:04 AM

Hi there,

 

I'm able to generate my Power BI embed tokens successfully. But I'm worried about it's security, let me explain my scenario.

 

I have an application hosted on app.com, and my service to get token hosted on abc.com. When user logins to app.com, I call my service (hosted on abc.com) to get token and then render my Power BI report.

 

I see one major issue here. The code to get token is in javascript in app.com. So the user can see what code i'm calling, copy the ajax request URL and say bye bye to my app.

And behind the back the user might be pinging my service URL to get tokens and rendering report without even entering my application.

 

Can we avoid this scenario?

How to ensure only authenticated users can access my service hosted on abc.com? 

How to use my app.com authentication for authenticating my service?

In the above scenario, calls to service hosted on abc.com should fail if the user is not logged in to app.com

 

In my case app.com is shopify.com.

 

Sorry to ask a basic question.

 

@Eric_Zhang?

 

Thanks,

Ranbeer 

Labels:
Message 1 of 4
1,815 Views
0
1 ACCEPTED SOLUTION
v-chuncz-msft
Community Support
Community Support

‎02-12-2018 03:18 AM

@ranbeermakin,

 

You may take a look at link below.

https://stackoverflow.com/questions/31611072/how-to-secure-the-javascript-api-access-token

Community Support Team _ Sam Zha
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 2 of 4
1,982 Views
0
3 REPLIES 3
v-chuncz-msft
Community Support
Community Support

‎02-12-2018 03:18 AM

@ranbeermakin,

 

You may take a look at link below.

https://stackoverflow.com/questions/31611072/how-to-secure-the-javascript-api-access-token

Community Support Team _ Sam Zha
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 4
1,983 Views
0
ranbeermakin
Resolver III
Resolver III
In response to v-chuncz-msft

‎02-12-2018 05:23 AM

Thanks,

CORS I have setup. I'm evaluating Proxying the request.

 

Thanks.

Message 3 of 4
1,772 Views
0
paullondon
New Member
In response to ranbeermakin

‎05-19-2019 12:23 AM

Did you ever get a solution to this that avoids putting tokens in Javascript?

Message 4 of 4
1,381 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

View All