Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Calling all Data Engineers! Fabric Data Engineer (Exam DP-700) live sessions are back! Starting October 16th. Sign up.

Reply
mwotruba
Regular Visitor

Power BI Rest API and HTTPS

‎10-27-2017 09:08 AM

Hi,

I'm not very familar with network security stuff like https and certificates and how the content of a request will be encrypted.
Following scenario:
I would like to use the Power BI REST API in my Windows App to show some "filtered" reports. The Windows App applies the "right" filter regarding the user whitch is currently logged in.
I have to make sure that there is no way to capture the access token I'm using with the API calls. I think about "man in the middle attacts" or something like this.

Can anybody confirm that the access token can not be captured?
Is this possibly dependend on the client sdk I'm using? (Javascript, C#, ..)

Thanks in advance,
Marco

Labels:
Message 1 of 2
983 Views
0
1 REPLY 1
Eric_Zhang
Microsoft Employee
Microsoft Employee

‎10-30-2017 12:04 AM
@mwotruba wrote:

Hi,

I'm not very familar with network security stuff like https and certificates and how the content of a request will be encrypted.
Following scenario:
I would like to use the Power BI REST API in my Windows App to show some "filtered" reports. The Windows App applies the "right" filter regarding the user whitch is currently logged in.
I have to make sure that there is no way to capture the access token I'm using with the API calls. I think about "man in the middle attacts" or something like this.

Can anybody confirm that the access token can not be captured?
Is this possibly dependend on the client sdk I'm using? (Javascript, C#, ..)

Thanks in advance,
Marco

@mwotruba

I'm not an expert on network, however it seems that the HTTPS already can prevent man in the middle attacks. There was risk because Power BI used to use the accesstoken for embedding service and the accesstoken was a plaintext in the embedding web page. Now Embedded token has been applied, which is limited to specific report/dashboard with view/edit permissions. The risk has been reduced to the minimum in my opinion.

Message 2 of 2
963 Views
0

Helpful resources

Announcements
FabCon Global Hackathon Carousel

FabCon Global Hackathon

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All