使用客户端凭据从Azure AD获取访问令牌以进行本机应用程序注册(PowerBI) [英] Acquire access token from Azure AD for native app registration (PowerBI) using client credentials
问题描述
我正在使用后端应用程序中的adal4j(版本1.2.0)来获取访问令牌,以便能够使用PowerBI REST API嵌入报告(更具体地讲,GenerateToken方法).我已经在Azure中注册了本机应用程序,并为其提供了必要的权限.我可以使用用户名/密码组合来获取访问令牌,如下所示:
I am using adal4j (version 1.2.0) from a backend application to acquire an access token to be able to use the PowerBI REST APIs to embed reports (more specifically, the GenerateToken method). I have registered a native app in Azure, and provided it the necessary permissions. I can acquire an access token using a username/password combination as follows:
AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/TENANT_ID/oauth2/authorize", false, es);
Future<AuthenticationResult> f = ac.acquireToken("https://analysis.windows.net/powerbi/api", CLIENT_ID, USERNAME, PASSWORD, null);
,然后使用令牌成功地对API进行身份验证,并最终显示嵌入式报告.但是,就我而言,我当然想使用客户端凭据(客户端ID,客户端密码)代替用户帐户.我可以再次获得令牌,如下所示:
And then use the token to authenticate to the APIs successfully, and ultimately show the embedded report. However, I my case, I would like to of course use the client credentials (client ID, client secret) instead of a user account. I can acquire the token again as follows:
AuthenticationContext("https://login.windows.net/TENANT_ID/oauth2/authorize", false, es);
ClientCredential cc = new ClientCredential(CLIENT_ID, CLIENT_SECRET);
Future<AuthenticationResult> f = ac.acquireToken("https://analysis.windows.net/powerbi/api", cc,null);
客户端ID是已注册的本机应用程序的应用程序ID,并且通过向应用程序添加密钥来定义客户端密钥. 同样,我获得了令牌,但是现在我不能再使用它来针对API进行身份验证(HTTP 403,没有任何更多详细信息).
The client ID is the application ID of the registered native app, and the client secret is defined by adding a key to the application. Again, I get the token, but now I am not able to use it to authenticate against the APIs anymore (HTTP 403, without any further details).
所以我的问题是,这首先应该是一个有效的方案,和/或我是否只是在Azure中或使用adal4j缺少了一条技术信息?
So my question is, that is this a valid scenario that should work in the first place, and/or am I just missing a piece of technical information either in Azure or using adal4j?
编辑:以下是委派的应用权限的屏幕截图.
Below is a screenshot of the delegated app permissions.
推荐答案
AFAIK,Power BI REST API仅支持委托权限,但不支持任何应用程序权限.在Azure门户中找不到可用的应用程序许可.因此,Power BI REST API不允许没有用户身份的客户端凭据流.相关线程此处和
AFAIK , Power BI REST API only supports delegated permissions but does not support any application permissions . You will find no application permission available in azure portal . So Power BI REST API doesn't allow client credential flow without user identity . Related threads here and here are for your reference .
如果要从服务连接到Power BI REST API,可以使用
If you want to connect to Power BI REST API from a Service , you could use Resource Owner Password Credentials Grant flow .
这篇关于使用客户端凭据从Azure AD获取访问令牌以进行本机应用程序注册(PowerBI)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
