Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
abshirey
Microsoft Employee
Microsoft Employee

OAuth2 Data Connector with PKCE

Hi, I'm trying to implement a custom OAuth2 data connector with PKCE to call a rest api, so I do not have to use confidential client secrets in the report. However, I can't get the authorization to validate successfully and have not found a working example of an OAuth2 data connector that does not rely on shared secrets. It is my understanding that the OAuth2 data connector supports getting an access token via the auth code flow with PKCE. Can anyone confirm that using PKCE with a custom OAuth2 data connector is possible? If so, can anyone direct me to a working example? Thank you!

5 REPLIES 5
v-juanli-msft
Community Support
Community Support

Hi @abshirey 

Are the references below helpful?

https://docs.microsoft.com/en-us/power-query/handlingauthentication

Power Query extensions are evaluated in applications running on client machines.

Data Connectors should not use confidential secrets in their OAuth flows, as users may inspect the extension or network traffic to learn the secret.

See the Proof Key for Code Exchange by OAuth Public Clients RFC (also known as PKCE) for further details on providing flows that don't rely on shared secrets.

 

Best Regards
Maggie
Community Support Team _ Maggie Li
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

 

ccc

Hi @v-juanli-msft , @abshirey 

I'm working through the implementation of PKCE authentication flow for our certified connector and wondered if you could assist with a few questions I have:

  1. The flow works fine when using code_challenge_method with a value plain. However, this is not the recommended method and hashing the verification code is highly advised (in addition to a few other things, see formula below)
    BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
    Does M language (Power Query) has an out-of-the-box function to do the hashing?
  2. What is the best way to store code verifier value for the user session? As far as I can see if one assigns a value to a variable it persists for the OAuth flow but when it comes to refreshing the access token a new value is used. Please advice on best practice. 

Thanks

Hi @neil_varnas_IP 

 

As far as I know, there isn't a sha_256 method in the M language. If you wanted to use this code_challenge_method, maybe you could generate the code_challenge with a Python script in Power BI, set the output as a env variables and reference them in the connector? This is a random suggestion, I haven't researched if this is possible.

 

I used the plain code_challenge method and created the code_verifier and code_challenge in the StartLogin method by concatenating two guids together: Text.NewGuid() + Text.NewGuid(). I got this idea from the GitHub post: https://github.com/microsoft/DataConnectors/issues/280#issuecomment-589651327 . It also shows how to pass it in as an optional fourth parameter to the TokenMethod so you can still use the refresh method. 

 

Hope that helps! If you decide to use the plain method with guids and have any implementation issues, let me know

Hi @abshirey ,

 

Thanks for your quick response. That link was a massive help to get the verification code passed around. Re S256 hashing, I keep it a plain code just now, hopefully, in the future we'll get some additional helper functions to get it the value hashed and make it more secure. 
Thanks

Hi Maggie, 

 

Those links are helpful. I used those along with the GitHub samples repo to create my data connector. 

 

The problem I'm having, which I can't find a solution for in linked sites, exchanging an authorization token for an access token is not successful. The PKCE code verification is successful. This problem could be due to AAD permissions as the app I'm trying to access is registered in AAD, OAuth2 authorization, or how the data connector. If you could suggest any resources about how to use OAuth2 authorization code grant with PKCE in Power BI for an app registered in AAD, I would appreciate it! Do you know if any specific permissions need to be requested in the scope or approved on the azure portal? 

Helpful resources

Announcements
Sept PBI Carousel

Power BI Monthly Update - September 2024

Check out the September 2024 Power BI update to learn about new features.

September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

Sept NL Carousel

Fabric Community Update - September 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors