连接到Power BI API时收到“禁止（403）” [英] Receiving a 'Forbidden (403)' when connecting to Power BI API

问题描述

我们一直在尝试遵循这篇Power BI文章，以便我们可以将报告/仪表板嵌入到我们的SaaS产品中。具体来说，我们停留在第3步创建嵌入令牌。

We've been trying to follow this Power BI article so that we can embed reports/dashboards in our SaaS product. Specifically, we're stuck at Step 3, 'Create the Embed Token.'

我们能够很好地获取承载令牌，但是当请求检索令牌时，报告最终提交给我们收到的API：操作返回了无效的状态代码禁止

We're able to obtain an bearer token just fine but when the request to retrieve the reports is ultimately submitted to the API we receive:Operation returned an invalid status code 'Forbidden'

    private static string clientId = "...";
    private static string secretKey = "...";
    private static string groupId = "...";

    static void Main(string[] args)
    {
        string resourceUri = "https://analysis.windows.net/powerbi/api";
        string authorityUri = "https://login.windows.net/common/oauth2/authorize";

        ClientCredential credential = new ClientCredential(clientId, secretKey);
        AuthenticationContext authContext = new AuthenticationContext(authorityUri);

        var token = authContext.AcquireTokenAsync(resourceUri, credential).Result.AccessToken;

        var tokenCredentials = new TokenCredentials(token, "Bearer");

        using (var client = new PowerBIClient(new Uri("https://api.powerbi.com/"), tokenCredentials))
        {
            var reports = client.Reports.GetReportsInGroupWithHttpMessagesAsync(groupId);

            // !!! - Here's where the exception is thrown
            // !!! -- Operation returned an invalid status code 'Forbidden'
            var report = reports.Result.Body;
        }
    }

这是我们尝试的方法：

• 已授予所需的权限（我们已选中所有选项以确保不丢失任何内容）。这包括Windows Azure Active Directory / Power BI服务。


• 我们已确认客户端ID，秘密密钥和组ID是正确的。


• Power BI工作区是私有的，但是我们尝试将其设为公共区，以确保这无关紧要。


• 最后，我们通过代码收到的令牌与powerbi.com上的令牌匹配。

• The required permissions have been granted (we've checked off all to ensure we're not missing anything). This includes both Windows Azure Active Directory/Power BI Service.
• We've confirmed that the client ID, secret key and group id are correct.
• The Power BI work-space is private, but we've tried making a public one to be sure it doesn't matter.
• Finally, the token we receive via code matches the token on powerbi.com.

推荐答案

使用客户端凭证流来获取Power BI API的令牌。当前，Power BI REST API仅支持委派权限，但不支持任何应用程序权限。因此您的访问令牌没有足够的访问权限。要使用Power BI，身份验证需要基于特定用户。相关线程此处和此处供您参考。

You are using client credential flow to acquire token for Power BI API . Currently , Power BI REST API only supports delegated permissions but does not support any application permissions . So your access token get insufficient access. To use Power BI, authentication needs to be based on a particular user. Related thread here and here are for your reference .

根据您的文档，该场景是应用拥有对数据的访问权。用户不一定是Power BI用户，并且该应用程序控制最终用户的身份验证和访问。然后，您可以使用资源所有者流来获取令牌。

According to your document ,the scenario is app owns access to the data. Users will not necessarily be Power BI users and the application controls authentication and access for the end users. Then you can use resource owner flow to acquiring token .

在Controllers中可以找到该示例应用拥有数据示例的HomeController.cs。

从代码示例中，它使用用户密码凭据获取令牌，而不是应用程序的凭据：

From the code sample , it is acquring token using a user password credential ,not application's credential :

            // Create a user password cradentials.
            var credential = new UserPasswordCredential(Username, Password);

            // Authenticate using created credentials
            var authenticationContext = new AuthenticationContext(AuthorityUrl);
            var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);

请参考对用户进行身份验证并获取Power BI应用程序的Azure AD访问令牌，并检查非Power BI用户的访问令牌（应用拥有数据）部分。

这篇关于连接到Power BI API时收到“禁止（403）”的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！