Can't get client-credentials access token to authorize Power BI

Question

I'm trying to use the Power BI REST API, using an access token acquired with the "client credentials" method, but I keep getting 403 Forbidden on my requests.

My code follows the pattern demonstrated in this AzureAD sample. In fact, to isolate this problem, I'm running that sample code (with my own values in the parameters.json, of course):

{ 
  expiresIn: 3599,
  tokenType: 'Bearer',
  expiresOn: Tue Sep 01 2015 16:56:07 GMT-0500 (CDT),
  resource: '00000002-0000-0000-c000-000000000000',
  accessToken: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xM2QxNzIwNC0wZGU2LTQ1NzQtOTgzYS05NjFhYjk0M2M3Y2UvIiwiaWF0IjoxNDQxMTQwNjcwLCJuYmYiOjE0NDExNDA2NzAsImV4cCI6MTQ0MTE0NDU3MCwidmVyIjoiMS4wIiwidGlkIjoiMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlIiwib2lkIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwic3ViIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlLyIsImFwcGlkIjoiNDQ2Y2Y5OTItMDQzYS00YjgxLWJhYzQtY2RlZWYyNGFhNzFjIiwiYXBwaWRhY3IiOiIxIn0.YTGJfdW1wP09bDHwwsv3FPAmEpmQdc_kifvgY-1KjhkZWANfYtd050wfeZdNgMUeSPZyFdWnoBjnJ4xrlDtnsADwV1Grr6TXYcymPLofbY-xy0cjyvzxTmM11DJ9XN8A4tkgvK0jtR-YyIjPw5EKJSKyeEbD9U3mWsE_gu7IzKzXl8e-dfVAqRYS6WHZy6_0FaNmppPDls5s_QIPOHofFSiWVISw41Mz0fQnP2QEGyceOCvKYJtrUOCDwfVuwFS-gSLmYvEGOJfmIjftP3srda0JPirVzBeU0IFJJ1KW81kE5cfKw1KkBB04VVetRUs_7HqloYaKKiTybauhXAodRQ',
  isMRRT: true,
  _clientId: '[snip]',
  _authority: 'https://login.windows.net/[snip]' 
}

When I use that access token in a curl request, as follows, I get a 403:

curl -vv -X GET https://api.powerbi.com/v1.0/myorg/datasets -H"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xM2QxNzIwNC0wZGU2LTQ1NzQtOTgzYS05NjFhYjk0M2M3Y2UvIiwiaWF0IjoxNDQxMTQwNjcwLCJuYmYiOjE0NDExNDA2NzAsImV4cCI6MTQ0MTE0NDU3MCwidmVyIjoiMS4wIiwidGlkIjoiMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlIiwib2lkIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwic3ViIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlLyIsImFwcGlkIjoiNDQ2Y2Y5OTItMDQzYS00YjgxLWJhYzQtY2RlZWYyNGFhNzFjIiwiYXBwaWRhY3IiOiIxIn0.YTGJfdW1wP09bDHwwsv3FPAmEpmQdc_kifvgY-1KjhkZWANfYtd050wfeZdNgMUeSPZyFdWnoBjnJ4xrlDtnsADwV1Grr6TXYcymPLofbY-xy0cjyvzxTmM11DJ9XN8A4tkgvK0jtR-YyIjPw5EKJSKyeEbD9U3mWsE_gu7IzKzXl8e-dfVAqRYS6WHZy6_0FaNmppPDls5s_QIPOHofFSiWVISw41Mz0fQnP2QEGyceOCvKYJtrUOCDwfVuwFS-gSLmYvEGOJfmIjftP3srda0JPirVzBeU0IFJJ1KW81kE5cfKw1KkBB04VVetRUs_7HqloYaKKiTybauhXAodRQ"

Wondering if that curl request was flawed somehow, I snooped out an access token “the wrong way” via browser webtools, and the above works fine, returning a 200 and a JSON response listing my datasets.

I did also notice that the return code is 403 (forbidden), not 401 (unauthorized), so I wondered if the authorization was okay but the permissions on the Power BI side were wrong. But I also get 403 when I use any garbage text for the access token (e.g., Authorization: Bearer foo), so I discarded that theory.

So. I think I have a valid test, and I’m getting what I think is a valid access token (from that client-credentials-sample.js code), but it’s still not working. What am I missing?

Send me your code and I'll debug it for you http://bit.ly/emailjon. I'm on the power bi team. — Jon Gallant, Oct 04 '15 at 22:51
This is ridiculous. It's the most hassle to use a REST Api I've ever seen. Normally its a couple clicks to get a key or token and within minutes you can get results via postman. Why can't the PBI team put up a simple web page to automate enabling the api and generate sample calls based on real account credentials like so many others do? — whitneyland, Mar 25 '17 at 21:31

score 9 · Accepted Answer · answered Oct 06 '15 at 22:09

With the assistance of some Microsoft folks (thanks, Jon Gallant & Josh Caplan), I've learned that authenticating with an OAuth client-credentials flow, as I was doing with that JavaScript sample, provides insufficient access. To use Power BI, authentication needs to be based on a particular user.

I tried using:

the similar JavaScript sample username-password-sample.js
a resource value of https://analysis.windows.net/powerbi/api (thanks, slugslog)
adding username and password to the parameters.json

That got me closer, but I was still getting a 400 response: "error_description":"AADSTS90014: The request body must contain the following parameter: 'client_secret or client_assertion'. …".

A hack to the adal-node library (hardcoding the client secret, i.e., oauthParameters[OAuth2Parameters.CLIENT_SECRET] = "my-client-secret"; after line 217 of token-request.js) was enough to get back an access token which works in the Authorization header for my original curl call.

Of course hardcoding that value in there isn't my final solution. I don't plan to use the adal-node library, anyway. But as far as this proof-of-concept for this authentication case goes, that's the answer I came to.

@cgrayson Did you ever get another solution for this? I mean, is there another library that gives out the correct access token? — Vishwas Shashidhar, Jan 18 '17 at 06:31
@VishwasShashidhar No, I never did. We wound up coding our own methods to get and use the access tokens. — cgrayson, Jan 20 '17 at 01:15
@cgrayson Well, that's a shame! But, thanks anyway! Looks like I'll have to clone the repo and modify code. — Vishwas Shashidhar, Jan 20 '17 at 06:21

score 3 · Answer 2 · answered Sep 02 '15 at 03:08

3

Make sure that your app that you registered with AAD has the read write all datasets permission. That should solve the problem.

answered Sep 02 '15 at 03:08

Josh Caplan - MSFT

366
1
3

Looking in Azure Active Directory, on the "Configure" tab for this "Application", under "permissions to other applications" there is "Power BI Service". It shows "Application Permissions: 0" (that arrow doesn't pop anything up to change), and "Delegated Permissions: 7" (that dropdown shows all boxes checked, including "Read and Write all Datasets (preview)"). That's what was already set before the above tests; I haven't changed anything yet. Am I looking in the right place? – cgrayson Sep 02 '15 at 15:30
I have cracked open the token that you had in the example above. I don't see those permissions in it. The first thing to check is that you are using the same app ID as the one that you were checking in AAD. If so, is this a web app or a native app? – Josh Caplan - MSFT Sep 03 '15 at 00:41
Hmm, I'm not sure what "app ID" is? Where do I find that in Azure and/or set it on the client side? I did match my lookup on the `clientId`, that's the same. And this is a web app. At least, it's trying to be. :-) – cgrayson Sep 03 '15 at 11:54
Yep. Client ID is the same. Please try this: go to https://portal.office.com/myapps. Find you app and remove it. Then try running your app again. It should ask you to consent again. – Josh Caplan - MSFT Sep 03 '15 at 15:42

score 3 · Answer 3 · answered Sep 30 '15 at 10:45

3

This is not an answer but one step forward in the debug process. I think the resource for which the token is requested should be "https://analysis.windows.net/powerbi/api". I've seen these in multiple references; one of them is linked below. Even after changing this, I still get a 403. As the OP mentioned if we use the accessToken from the powerBI portal, everything works.

answered Sep 30 '15 at 10:45

slugslog

1,748
1
10
10

I get "server not found" when I try to access https://analysis.windows.net/ in any way. Also not clear on where you're suggesting that URL would be used. As the "authority host URL" (as [here](https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/sample/client-credentials-sample.js#L50)? Or as the target for the actual BI request (as in my original `curl` example)? – cgrayson Oct 01 '15 at 16:18
that should be the value of the "resource" property that you are requesting the token for. Here's a nodejs sample I'm working with. This is in place of the value '00000009-0000-0000-c000-000000000000' that you are currently using. – slugslog Oct 02 '15 at 11:03

score 3 · Answer 4 · answered Oct 02 '15 at 13:58

So I tried this with my own app, the following command works (for me):

curl -vv -X GET https://api.powerbi.com/v1.0/myorg/datasets -H"Authorization: Bearer ey....qqqq"

BTW, the extra "v" after -v seems redundant.

So what I can conclude is that your application is missing the required permissions to call Power BI's APIs.

One thing you might try is grab one of our samples, create a new application in AAD for it, and then see if the authorization token works for it. Here's a good one to try: https://github.com/PowerBI/Integrate-a-tile-into-an-app

Yep, you're right about my `-vv`. Somewhere along the line I thought `curl` was one of those commands that increases verbosity with more `v`s, but [nope](http://stackoverflow.com/questions/24402473/what-is-meaning-of-vvv-option-in-curl-request). — cgrayson, Oct 06 '15 at 22:20

Can't get client-credentials access token to authorize Power BI

4 Answers4

Linked