PowerBI和Azure AD无头登录

Question

我想将PowerBI仪表板嵌入到我的客户MVC门户中。我的客户没有AAD帐户，所以当他们访问网站时他们无法登录到Live，他们以个人权限登录到我的MVC网站。

我已经在PowerBI/AAD上注册了我的App，并拥有ClientID和Secret。我打电话给AAD并获得一个授权码，然后我用它来获取成功返回的认证令牌。

当我使用访问令牌来获取仪表板时，它会不断被403 Forbidden拒绝。

我已经浏览了微软的所有样本，但他们需要用户登录提示。我已经回顾了引用AcquireToken方法的ADAL2.0代码，但是这在ADAL3中已被弃用，并由具有不同参数的AcquireTokenAsync取代，我在下面的示例中使用了它。

这里获得令牌功能：

protected AuthenticationResult GetAccessToken() 
    { 
     string pBiUser = Properties.Settings.Default.PowerBIUser; 
     string pBiPwd = Properties.Settings.Default.PowerBIPwd; 
     string pBiClientId = Properties.Settings.Default.PowerBIClientId; 
     string pBiSecret = Properties.Settings.Default.PowerBIClientSecret; 
     TokenCache TC = new TokenCache(); 
     ClientCredential CC = new ClientCredential(pBiClientId,pBiSecret); 
     string AU = Properties.Settings.Default.PowerBIAuthority; 
     Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authenticationContext 
      = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(AU, TC); 
     AuthenticationResult result = authenticationContext.AcquireTokenAsync("https://analysis.windows.net/powerbi/api" 
      ,CC).Result; 

     if (result == null) 
     { 
      throw new InvalidOperationException("Failed to obtain the PowerBI token"); 
     } 

     return result; 
    } 

我再取结果令牌和调用。所述响应接收403：

protected PBIDashboards GetDashboards(AuthenticationResult authResult) 
    { 
     PBIDashboards pbiDashboards = new PBIDashboards(); 
     var baseAddress = new Uri("https://api.powerbi.com"); 
     using (var httpClient = new System.Net.Http.HttpClient {BaseAddress = baseAddress}) 
     { 
      httpClient.DefaultRequestHeaders.TryAddWithoutValidation("authorization", 
       "Bearer " + authResult.AccessToken); 
      using (**var response** = httpClient.GetAsync("v1.0/myorg/dashboards").Result) 
      { 
       string responseData = response.Content.ReadAsStringAsync().Result; 

       //Deserialize JSON string 
       pbiDashboards = JsonConvert.DeserializeObject<PBIDashboards>(responseData); 

       if (pbiDashboards != null) 
       { 
        var gridViewDashboards = pbiDashboards.value.Select(dashboard => new 
        { 
         Id = dashboard.id, 
         DisplayName = dashboard.displayName, 
         EmbedUrl = dashboard.embedUrl 
        }); 
       } 
      } 
     } 
     return pbiDashboards; 
    } 

Answer 1

了大量的研究后，你可以做一个直接的AJAX调用获得令牌：

private async Task<string> GetAccessToken() 
    { 
     string pBiUser = Properties.Settings.Default.PowerBIUser; 
     string pBiPwd = Properties.Settings.Default.PowerBIPwd; 
     string pBiClientId = Properties.Settings.Default.PowerBIClientId; 
     string pBiSecret = Properties.Settings.Default.PowerBIClientSecret; 
     string pBITenant = Properties.Settings.Default.PowerBITenantId; 

     string tokenEndpointUri = "https://login.microsoftonline.com/"+pBITenant+"/oauth2/token"; 

     var content = new FormUrlEncodedContent(new[] 
      { 
     new KeyValuePair<string, string>("grant_type", "password"), 
     new KeyValuePair<string, string>("username", pBiUser), 
     new KeyValuePair<string, string>("password", pBiPwd), 
     new KeyValuePair<string, string>("client_id", pBiClientId), 
     new KeyValuePair<string, string>("client_secret", pBiSecret), 
     new KeyValuePair<string, string>("resource", "https://analysis.windows.net/powerbi/api") 
     }); 

     using (var client = new HttpClient()) 
     { 
      HttpResponseMessage res = client.PostAsync(tokenEndpointUri, content).Result; 

      string json = await res.Content.ReadAsStringAsync(); 

      AzureAdTokenResponse tokenRes = JsonConvert.DeserializeObject<AzureAdTokenResponse>(json); 

      return tokenRes.AccessToken; 
     } 
    } 

一旦你的字符串的accessToken，你可以调用的仪表板请求。

protected PBIDashboards GetDashboards(string token) 
    { 
     PBIDashboards pbiDashboards = new PBIDashboards(); 
     var baseAddress = new Uri("https://api.powerbi.com"); 
     using (var httpClient = new System.Net.Http.HttpClient {BaseAddress = baseAddress}) 
     { 
      httpClient.DefaultRequestHeaders.TryAddWithoutValidation("authorization", 
       "Bearer " + token); 
      using (var response = httpClient.GetAsync("v1.0/myorg/dashboards").Result) 
      { 
       string responseData = response.Content.ReadAsStringAsync().Result; 

       //Deserialize JSON string 
       pbiDashboards = JsonConvert.DeserializeObject<PBIDashboards>(responseData); 

       if (pbiDashboards != null) 
       { 
        var gridViewDashboards = pbiDashboards.value.Select(dashboard => new 
        { 
         Id = dashboard.id, 
         DisplayName = dashboard.displayName, 
         EmbedUrl = dashboard.embedUrl 
        }); 
       } 
      } 
     } 
     return pbiDashboards; 
    } 

这将为您提供仪表板的列表和仪表板标识调用API PowerBI在Javascript中建嵌入式页面。我使用隐藏的输入字段来存储访问令牌并嵌入URL以传递给Javascript调用。

// check if the embed url was selected 
var embedUrl = document.getElementById('embed').value; 
if (embedUrl === "") 
    return; 

// get the access token. 
accessToken = document.getElementById('token').value; 

// Embed configuration used to describe the what and how to embed. 
// This object is used when calling powerbi.embed. 
// You can find more information at https://github.com/Microsoft/PowerBI-JavaScript/wiki/Embed-Configuration-Details. 
var config = { 
    type: 'dashboard', 
    accessToken: accessToken, 
    embedUrl: embedUrl 
}; 

// Grab the reference to the div HTML element that will host the dashboard. 
var dashboardContainer = document.getElementById('dashboard'); 

// Embed the dashboard and display it within the div container. 
var dashboard = powerbi.embed(dashboardContainer, config); 

Answer 2

基于该错误消息（403），问题是相对于该权限。

并且AFAIK当我们使用客户端凭证流程获取访问令牌时，我们可以使用Power BI REST。您可以参考的权限如下图所示：

要获取电力BI REST令牌无需用户交互，我们可以使用资源所有者密码凭据流。你可以使用已经实现这个功能的第三方库PowerBI.Api.Client。