Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
Hi, I'm trying to implement a custom OAuth2 data connector with PKCE to call a rest api, so I do not have to use confidential client secrets in the report. However, I can't get the authorization to validate successfully and have not found a working example of an OAuth2 data connector that does not rely on shared secrets. It is my understanding that the OAuth2 data connector supports getting an access token via the auth code flow with PKCE. Can anyone confirm that using PKCE with a custom OAuth2 data connector is possible? If so, can anyone direct me to a working example? Thank you!
Hi @abshirey
Are the references below helpful?
https://docs.microsoft.com/en-us/power-query/handlingauthentication
Power Query extensions are evaluated in applications running on client machines.
Data Connectors should not use confidential secrets in their OAuth flows, as users may inspect the extension or network traffic to learn the secret.
See the Proof Key for Code Exchange by OAuth Public Clients RFC (also known as PKCE) for further details on providing flows that don't rely on shared secrets.
Best Regards
Maggie
Community Support Team _ Maggie Li
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
ccc
Hi @v-juanli-msft , @abshirey
I'm working through the implementation of PKCE authentication flow for our certified connector and wondered if you could assist with a few questions I have:
BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))Does M language (Power Query) has an out-of-the-box function to do the hashing?
Thanks
As far as I know, there isn't a sha_256 method in the M language. If you wanted to use this code_challenge_method, maybe you could generate the code_challenge with a Python script in Power BI, set the output as a env variables and reference them in the connector? This is a random suggestion, I haven't researched if this is possible.
I used the plain code_challenge method and created the code_verifier and code_challenge in the StartLogin method by concatenating two guids together: Text.NewGuid() + Text.NewGuid(). I got this idea from the GitHub post: https://github.com/microsoft/DataConnectors/issues/280#issuecomment-589651327 . It also shows how to pass it in as an optional fourth parameter to the TokenMethod so you can still use the refresh method.
Hope that helps! If you decide to use the plain method with guids and have any implementation issues, let me know
Hi @abshirey ,
Thanks for your quick response. That link was a massive help to get the verification code passed around. Re S256 hashing, I keep it a plain code just now, hopefully, in the future we'll get some additional helper functions to get it the value hashed and make it more secure.
Thanks
Hi Maggie,
Those links are helpful. I used those along with the GitHub samples repo to create my data connector.
The problem I'm having, which I can't find a solution for in linked sites, exchanging an authorization token for an access token is not successful. The PKCE code verification is successful. This problem could be due to AAD permissions as the app I'm trying to access is registered in AAD, OAuth2 authorization, or how the data connector. If you could suggest any resources about how to use OAuth2 authorization code grant with PKCE in Power BI for an app registered in AAD, I would appreciate it! Do you know if any specific permissions need to be requested in the scope or approved on the azure portal?
Check out the September 2024 Power BI update to learn about new features.
Learn from experts, get hands-on experience, and win awesome prizes.
User | Count |
---|---|
70 | |
63 | |
40 | |
28 | |
16 |