Power BI Rest API and HTTPS

mwotruba · ‎10-27-2017

Hi,

I'm not very familar with network security stuff like https and certificates and how the content of a request will be encrypted.
Following scenario:
I would like to use the Power BI REST API in my Windows App to show some "filtered" reports. The Windows App applies the "right" filter regarding the user whitch is currently logged in.
I have to make sure that there is no way to capture the access token I'm using with the API calls. I think about "man in the middle attacts" or something like this.

Can anybody confirm that the access token can not be captured?
Is this possibly dependend on the client sdk I'm using? (Javascript, C#, ..)

Thanks in advance,
Marco

Eric_Zhang · ‎10-30-2017

@mwotruba wrote:

Hi,

I'm not very familar with network security stuff like https and certificates and how the content of a request will be encrypted.
Following scenario:
I would like to use the Power BI REST API in my Windows App to show some "filtered" reports. The Windows App applies the "right" filter regarding the user whitch is currently logged in.
I have to make sure that there is no way to capture the access token I'm using with the API calls. I think about "man in the middle attacts" or something like this.

Can anybody confirm that the access token can not be captured?
Is this possibly dependend on the client sdk I'm using? (Javascript, C#, ..)

Thanks in advance,
Marco

@mwotruba

I'm not an expert on network, however it seems that the HTTPS already can prevent man in the middle attacks. There was risk because Power BI used to use the accesstoken for embedding service and the accesstoken was a plaintext in the embedding web page. Now Embedded token has been applied, which is limited to specific report/dashboard with view/edit permissions. The risk has been reduced to the minimum in my opinion.