连接到 Power BI API 时收到“禁止 (403)"

本文介绍了连接到 Power BI API 时收到“禁止 (403)"的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我们一直在尝试关注 这篇 Power BI 文章，以便我们可以在我们的 SaaS 产品中嵌入报表/仪表板.具体来说，我们停留在第 3 步，创建嵌入令牌".

我们能够很好地获取不记名令牌，但是当检索报告的请求最终提交给我们收到的 API 时:操作返回了无效的状态代码禁止"

私有静态字符串 clientId = "...";私有静态字符串 secretKey = "...";私有静态字符串 groupId = "...";静态无效主要(字符串 [] 参数){string resourceUri = "analysis.windows/powerbi/api";string authorityUri = "login.windows/common/oauth2/authorize";ClientCredential credential = new ClientCredential(clientId, secretKey);AuthenticationContext authContext = new AuthenticationContext(authorityUri);var token = authContext.AcquireTokenAsync(resourceUri, credential).Result.AccessToken;var tokenCredentials = new TokenCredentials(token, "Bearer");使用 (var client = new PowerBIClient(new Uri("api.powerbi/"), tokenCredentials)){var 报告 = client.Reports.GetReportsInGroupWithHttpMessagesAsync(groupId);//!!!- 这里是抛出异常的地方//!!!-- 操作返回一个无效的状态码'Forbidden'var 报告 = 报告.结果.正文；}}

这是我们尝试过的:

• 已授予所需权限(我们已全部核对以确保没有遗漏任何内容).这包括 Windows Azure Active Directory/Power BI 服务.
• 我们已确认客户端 ID、密钥和组 ID 正确无误.
• Power BI 工作空间是私有的，但我们已尝试将其设为公开，以确保它不重要.
• 最后，我们通过代码收到的令牌与 powerbi 上的令牌匹配.

解决方案

您正在使用客户端凭据流来获取 Power BI API 的令牌.目前，Power BI REST API 仅支持委派权限，不支持任何应用程序权限.因此，您的访问令牌获得的访问权限不足.若要使用 Power BI，身份验证需要基于特定用户.相关线程这里和这里 供您参考.

根据您的 文档 ，场景是应用拥有对数据的访问权限.用户不一定是 Power BI 用户，应用程序控制最终用户的身份验证和访问.然后就可以使用资源所有者流程来获取token了.

在 应用拥有数据示例.

从代码示例中，它使用用户密码凭证而不是应用程序的凭证来获取令牌:

//创建用户密码凭证.var credential = new UserPasswordCredential(用户名，密码)；//使用创建的凭据进行身份验证var authenticationContext = new AuthenticationContext(AuthorityUrl);var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);

请参考验证用户和获取 Power BI 应用的 Azure AD 访问令牌 并检查 非 Power BI 用户的访问令牌(应用拥有数据) 部分.

We've been trying to follow this Power BI article so that we can embed reports/dashboards in our SaaS product. Specifically, we're stuck at Step 3, 'Create the Embed Token.'

We're able to obtain an bearer token just fine but when the request to retrieve the reports is ultimately submitted to the API we receive:Operation returned an invalid status code 'Forbidden'

private static string clientId = "..."; private static string secretKey = "..."; private static string groupId = "..."; static void Main(string[] args) { string resourceUri = "analysis.windows/powerbi/api"; string authorityUri = "login.windows/common/oauth2/authorize"; ClientCredential credential = new ClientCredential(clientId, secretKey); AuthenticationContext authContext = new AuthenticationContext(authorityUri); var token = authContext.AcquireTokenAsync(resourceUri, credential).Result.AccessToken; var tokenCredentials = new TokenCredentials(token, "Bearer"); using (var client = new PowerBIClient(new Uri("api.powerbi/"), tokenCredentials)) { var reports = client.Reports.GetReportsInGroupWithHttpMessagesAsync(groupId); // !!! - Here's where the exception is thrown // !!! -- Operation returned an invalid status code 'Forbidden' var report = reports.Result.Body; } }

Here's what we've tried:

• The required permissions have been granted (we've checked off all to ensure we're not missing anything). This includes both Windows Azure Active Directory/Power BI Service.
• We've confirmed that the client ID, secret key and group id are correct.
• The Power BI work-space is private, but we've tried making a public one to be sure it doesn't matter.
• Finally, the token we receive via code matches the token on powerbi.

解决方案

You are using client credential flow to acquire token for Power BI API . Currently , Power BI REST API only supports delegated permissions but does not support any application permissions . So your access token get insufficient access. To use Power BI, authentication needs to be based on a particular user. Related thread here and here are for your reference .

According to your document ,the scenario is app owns access to the data. Users will not necessarily be Power BI users and the application controls authentication and access for the end users. Then you can use resource owner flow to acquiring token .

A sample of this is available within ControllersHomeController.cs of the App Owns Data sample.

From the code sample , it is acquring token using a user password credential ,not application's credential :

// Create a user password cradentials. var credential = new UserPasswordCredential(Username, Password); // Authenticate using created credentials var authenticationContext = new AuthenticationContext(AuthorityUrl); var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);

Please refer to Authenticate users and get an Azure AD access token for your Power BI app and check the Access token for non-Power BI users (app owns data) section .