客户端凭据不适用于 powerBI REST API

2022-01-10 00:00:00 python rest authentication powerbi adal

问题描述

我正在尝试实现守护程序身份验证流程.以下发布请求返回给我一个具有正确范围的访问令牌:

p_url = 'https://login.microsoftonline.com/' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + '/oauth2/token'数据 = {'grant_type':'client_credentials','client_id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx','client_secret': 'L--------------------------------------------------------=','资源':'https://analysis.windows.net/powerbi/api'}r = requests.post(url=p_url, 数据=数据)

我收到以下回复

<代码>{access_token":ey------------"expires_on":1454857253",not_before":1454853353","expires_in" : "3600","token_type" : "承载者","scope" : "Dashboard.Read.All Data.Alter_Any Dataset.Read.All Dataset.ReadWrite.All Report.Read.All",资源":https://analysis.windows.net/powerbi/api"}响应 = json.loads(r.text)令牌 = 响应 ['access_token']标头= {'授权':'承载'+令牌}response = requests.get('https://api.powerbi.com/v1.0/myorg/datasets', headers=headers)

我使用应用程序查看端点"页面中的端点.但是,当我尝试获取数据集"列表时,我总是收到 403.获取令牌过程中可能缺少什么?

解决方案

你的流程有点短.对数据集的 REST 调用似乎还可以,但据我所知,您必须通过授权代码请求访问令牌,而不仅仅是客户端凭据.

1) 获取授权码

取决于您的流程,对于网站,它将在登录过程中收到或使用 { 'response_type':'code } 调用/oauth2/authorize

2) 获取访问令牌

使用变量中的授权码,您必须修改您的请求以包含授权码,如下所示(grant_type 和 code 字段已更改):

p_url = 'https://login.microsoftonline.com/' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + '/oauth2/token'数据 = { 'grant_type':'authorization_code','client_id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx','client_secret': 'L--------------------------------------------------------=','代码':authorizationCodeForSingedInUser,'资源':'https://analysis.windows.net/powerbi/api'}r = requests.post(url=p_url, 数据=数据)

基本上,您必须拥有一个可以访问 Power BI 资源的用户帐户.您的网站(clientid + secret)未经授权.必须有用户参与.

更重要的是,afaik 只有组织帐户"用户才能访问 power bi.

明确并强调此线程、帖子和评论中的主要原因:Power BI REST API 只能通过具有组织帐户凭据的用户使用,并且已在 Power BI 门户.您可以通过检查此用户是否能够手动使用 Power BI 门户 来检查 REST Api 是否可以工作.p>

I'm trying to implement the daemon authentication flow. The following post request returns me an access token with the right scope:

p_url = 'https://login.microsoftonline.com/' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + '/oauth2/token'
data = { 'grant_type':'client_credentials',
         'client_id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
         'client_secret': 'L------------------------------------------=',
         'resource':'https://analysis.windows.net/powerbi/api' }
r = requests.post(url=p_url, data=data)

I receive the following response

{
  "access_token" : "ey------------"
  "expires_on" : "1454857253",
  "not_before" : "1454853353",
  "expires_in" : "3600",
  "token_type" : "Bearer",
  "scope" : "Dashboard.Read.All Data.Alter_Any Dataset.Read.All Dataset.ReadWrite.All Report.Read.All",
  "resource" : "https://analysis.windows.net/powerbi/api"
}

response = json.loads(r.text)
token = response['access_token']
headers = { 'Authorization': 'Bearer ' + token }
response = requests.get('https://api.powerbi.com/v1.0/myorg/datasets', headers=headers)

I use the endpoint from the applications "view endpoints" page. However, when I attempt to get list of "datasets" I always receive 403. What might be missing from the acquire token process?

解决方案

Your flow is a bit short. REST call for datasets seems OK, but as far as I know, you have to request the access token by authorization code, not client credentials alone.

1) Get authorization code

Depends on your flow, for website it will be received during logon process or call to /oauth2/authorize with { 'response_type':'code }

2) Get access token

With authorization code in a variable, you have to modify your request to include to authorization code, like this (grant_type and code fields are altered):

p_url = 'https://login.microsoftonline.com/' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + '/oauth2/token'
data = { 'grant_type':'authorization_code',
     'client_id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
     'client_secret': 'L------------------------------------------=',
     'code': authorizationCodeForSingedInUser,
     'resource':'https://analysis.windows.net/powerbi/api' }
r = requests.post(url=p_url, data=data)

Basically saying, you have to have a user account that accesses the Power BI resource. Your website (clientid + secret) are not authorized by itself. There must be a user involved.

What's more, afaik only "organization account" users can access power bi.

To be explicit and underline the main cause in this thread, post and comments: Power BI REST API can only be used via User with credentials with Organizational Account and be already signed in (activated) Power BI on Power BI portal. You can check if REST Api will work by checking if this user is able to use Power BI portal manually.

相关文章