无法获取客户端的凭据访问令牌授权功率BI [英] Can't get client-credentials access token to authorize Power BI
问题描述
我试图使用Power BI REST API,使用与客户端证书的方法获得一个访问令牌,但我不断收到 403禁止
在我的请求。
I'm trying to use the Power BI REST API, using an access token acquired with the "client credentials" method, but I keep getting 403 Forbidden
on my requests.
我的code遵循<一个展示模式href=\"https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/sample/client-credentials-sample.js\">this AzureAD样品。事实上,隔离这个问题,我运行样本code(与我自己的价值观在 parameters.json
,当然):
My code follows the pattern demonstrated in this AzureAD sample. In fact, to isolate this problem, I'm running that sample code (with my own values in the parameters.json
, of course):
{
expiresIn: 3599,
tokenType: 'Bearer',
expiresOn: Tue Sep 01 2015 16:56:07 GMT-0500 (CDT),
resource: '00000002-0000-0000-c000-000000000000',
accessToken: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xM2QxNzIwNC0wZGU2LTQ1NzQtOTgzYS05NjFhYjk0M2M3Y2UvIiwiaWF0IjoxNDQxMTQwNjcwLCJuYmYiOjE0NDExNDA2NzAsImV4cCI6MTQ0MTE0NDU3MCwidmVyIjoiMS4wIiwidGlkIjoiMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlIiwib2lkIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwic3ViIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlLyIsImFwcGlkIjoiNDQ2Y2Y5OTItMDQzYS00YjgxLWJhYzQtY2RlZWYyNGFhNzFjIiwiYXBwaWRhY3IiOiIxIn0.YTGJfdW1wP09bDHwwsv3FPAmEpmQdc_kifvgY-1KjhkZWANfYtd050wfeZdNgMUeSPZyFdWnoBjnJ4xrlDtnsADwV1Grr6TXYcymPLofbY-xy0cjyvzxTmM11DJ9XN8A4tkgvK0jtR-YyIjPw5EKJSKyeEbD9U3mWsE_gu7IzKzXl8e-dfVAqRYS6WHZy6_0FaNmppPDls5s_QIPOHofFSiWVISw41Mz0fQnP2QEGyceOCvKYJtrUOCDwfVuwFS-gSLmYvEGOJfmIjftP3srda0JPirVzBeU0IFJJ1KW81kE5cfKw1KkBB04VVetRUs_7HqloYaKKiTybauhXAodRQ',
isMRRT: true,
_clientId: '[snip]',
_authority: 'https://login.windows.net/[snip]'
}
当我使用访问令牌在卷曲
的要求,具体如下,我收到了 403
:
When I use that access token in a curl
request, as follows, I get a 403
:
curl -vv -X GET https://api.powerbi.com/v1.0/myorg/datasets -H"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xM2QxNzIwNC0wZGU2LTQ1NzQtOTgzYS05NjFhYjk0M2M3Y2UvIiwiaWF0IjoxNDQxMTQwNjcwLCJuYmYiOjE0NDExNDA2NzAsImV4cCI6MTQ0MTE0NDU3MCwidmVyIjoiMS4wIiwidGlkIjoiMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlIiwib2lkIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwic3ViIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlLyIsImFwcGlkIjoiNDQ2Y2Y5OTItMDQzYS00YjgxLWJhYzQtY2RlZWYyNGFhNzFjIiwiYXBwaWRhY3IiOiIxIn0.YTGJfdW1wP09bDHwwsv3FPAmEpmQdc_kifvgY-1KjhkZWANfYtd050wfeZdNgMUeSPZyFdWnoBjnJ4xrlDtnsADwV1Grr6TXYcymPLofbY-xy0cjyvzxTmM11DJ9XN8A4tkgvK0jtR-YyIjPw5EKJSKyeEbD9U3mWsE_gu7IzKzXl8e-dfVAqRYS6WHZy6_0FaNmppPDls5s_QIPOHofFSiWVISw41Mz0fQnP2QEGyceOCvKYJtrUOCDwfVuwFS-gSLmYvEGOJfmIjftP3srda0JPirVzBeU0IFJJ1KW81kE5cfKw1KkBB04VVetRUs_7HqloYaKKiTybauhXAodRQ"
想,如果在卷曲
要求在某种程度上有缺陷的,我探听出来的访问通过浏览器的Web工具令牌走错了路和上述工作正常,返回 200
和JSON响应列举我的数据集。
Wondering if that curl
request was flawed somehow, I snooped out an access token "the wrong way" via browser webtools, and the above works fine, returning a 200
and a JSON response listing my datasets.
我也注意到,返回code是 403
(禁止),不是 401
(未经授权),所以我想知道,如果授权是好的,但是,从电源侧BI的权限是错误的。但我也得到 403
当我使用的访问令牌的任何垃圾文本(例如,授权:承载富
),所以我放弃这个理论。
I did also notice that the return code is 403
(forbidden), not 401
(unauthorized), so I wondered if the authorization was okay but the permissions on the Power BI side were wrong. But I also get 403
when I use any garbage text for the access token (e.g., Authorization: Bearer foo
), so I discarded that theory.
所以。我想我有一个有效的测试,并且我得到什么,我认为是一个有效的访问令牌(从客户端的凭据,sample.js
code)但它仍然没有工作。我缺少什么?
So. I think I have a valid test, and I’m getting what I think is a valid access token (from that client-credentials-sample.js
code), but it’s still not working. What am I missing?
推荐答案
通过一些微软人的协助下(感谢,乔恩浩和放大器;乔希·卡普兰的),我已经学会了与认证OAuth用户端的凭据流动,因为我是用了JavaScript样本做,提供了足够的访问。使用Power BI,认证需要基于特定用户
With the assistance of some Microsoft folks (thanks, Jon Gallant & Josh Caplan), I've learned that authenticating with an OAuth client-credentials flow, as I was doing with that JavaScript sample, provides insufficient access. To use Power BI, authentication needs to be based on a particular user.
我试着使用:
- 类似的JavaScript样本<一个href=\"https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/sample/username-password-sample.js\">username-password-sample.js
- 在
资源
的价值https://analysis.windows.net/powerbi/api
(谢谢,slugslog 的) - 添加
用户名
和密码
到parameters.json
- the similar JavaScript sample username-password-sample.js
- a
resource
value ofhttps://analysis.windows.net/powerbi/api
(thanks, slugslog) - adding
username
andpassword
to theparameters.json
这让我更接近,但我仍然得到400响应:ERROR_DESCRIPTION:AADSTS90014:请求体必须包含以下参数:'client_secret或client_assertion'......
。
That got me closer, but I was still getting a 400 response: "error_description":"AADSTS90014: The request body must contain the following parameter: 'client_secret or client_assertion'. …"
.
一劈到阿达尔节点
库(硬编码的客户端密钥,即 oauthParameters [OAuth2Parameters.CLIENT_SECRET] =我-客户端 - 秘密;
在<一个href=\"https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/lib/token-request.js#L218\">line 令牌request.js
),都足以让后面的访问令牌这在授权作品
我原来的卷曲
电话。
A hack to the adal-node
library (hardcoding the client secret, i.e., oauthParameters[OAuth2Parameters.CLIENT_SECRET] = "my-client-secret";
after line 217 of token-request.js
) was enough to get back an access token which works in the Authorization
header for my original curl
call.
当然,硬编码的价值在那里不是我的最终解决方案。我不打算使用阿达尔节点
库,反正。但至于这个证明的概念为这个认证的情况下进入,这就是我来到了答案。
Of course hardcoding that value in there isn't my final solution. I don't plan to use the adal-node
library, anyway. But as far as this proof-of-concept for this authentication case goes, that's the answer I came to.
这篇关于无法获取客户端的凭据访问令牌授权功率BI的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!