使用客户端凭据从 Azure AD 获取访问令牌以进行本机应用注册 (PowerBI) [英] Acquire access token from Azure AD for native app registration (PowerBI) using client credentials
问题描述
我正在使用来自后端应用程序的 adal4j(版本 1.2.0)来获取访问令牌,以便能够使用 PowerBI REST API 来嵌入报告(更具体地说,是 GenerateToken 方法).我在 Azure 中注册了一个本机应用程序,并为其提供了必要的权限.我可以使用用户名/密码组合获取访问令牌,如下所示:
I am using adal4j (version 1.2.0) from a backend application to acquire an access token to be able to use the PowerBI REST APIs to embed reports (more specifically, the GenerateToken method). I have registered a native app in Azure, and provided it the necessary permissions. I can acquire an access token using a username/password combination as follows:
AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/TENANT_ID/oauth2/authorize", false, es);
Future<AuthenticationResult> f = ac.acquireToken("https://analysis.windows.net/powerbi/api", CLIENT_ID, USERNAME, PASSWORD, null);
然后使用令牌成功地对 API 进行身份验证,并最终显示嵌入的报告.但是,就我而言,我当然想使用客户端凭据(客户端 ID、客户端密码)而不是用户帐户.我可以再次获取令牌,如下所示:
And then use the token to authenticate to the APIs successfully, and ultimately show the embedded report. However, I my case, I would like to of course use the client credentials (client ID, client secret) instead of a user account. I can acquire the token again as follows:
AuthenticationContext("https://login.windows.net/TENANT_ID/oauth2/authorize", false, es);
ClientCredential cc = new ClientCredential(CLIENT_ID, CLIENT_SECRET);
Future<AuthenticationResult> f = ac.acquireToken("https://analysis.windows.net/powerbi/api", cc,null);
client ID是注册的native app的应用ID,client secret是通过给应用添加key来定义的.我再次获得了令牌,但现在我无法再使用它来针对 API 进行身份验证了(HTTP 403,没有任何进一步的细节).
The client ID is the application ID of the registered native app, and the client secret is defined by adding a key to the application. Again, I get the token, but now I am not able to use it to authenticate against the APIs anymore (HTTP 403, without any further details).
所以我的问题是,这是一个应该首先工作的有效方案,和/或我只是在 Azure 或使用 adal4j 时遗漏了一条技术信息?
So my question is, that is this a valid scenario that should work in the first place, and/or am I just missing a piece of technical information either in Azure or using adal4j?
下面是委派应用权限的屏幕截图.
Below is a screenshot of the delegated app permissions.
推荐答案
AFAIK,Power BI REST API 仅支持委派权限,不支持任何应用程序权限.您会发现 azure 门户中没有可用的应用程序权限.因此,Power BI REST API 不允许没有用户身份的客户端凭据流.相关主题此处和这里供您参考.
AFAIK , Power BI REST API only supports delegated permissions but does not support any application permissions . You will find no application permission available in azure portal . So Power BI REST API doesn't allow client credential flow without user identity . Related threads here and here are for your reference .
如果你想从服务连接到 Power BI REST API,你可以使用 资源所有者密码凭据授予流程 .
If you want to connect to Power BI REST API from a Service , you could use Resource Owner Password Credentials Grant flow .
这篇关于使用客户端凭据从 Azure AD 获取访问令牌以进行本机应用注册 (PowerBI)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
