2

I'm trying to embed Azure Time Series insights. The stub applications provides the code to do that. I created an app registration and added Time Series insights API permissions to it. I also created my own Time series environment with an event source.

Now the authentication in JS library is achieved using ADAL with this piece of code.

 var authContext = new AuthenticationContext({
                clientId: 'xxxxx',
                postLogoutRedirectUri: 'https://insights.timeseries.azure.com',
                cacheLocation: 'localStorage'
            });

And with this piece of code I'm getting an access token.

var promise = new Promise(function (resolve, reject) {
                    authContext.acquireToken(
                        'https://api.timeseries.azure.com/',
                        function (error, token) {
                            console.log(token);

                            if (error || !token) {
                                console.log('Here');
                                // TODO: Handle error obtaining access token
                                document.getElementById('api_response').textContent = error;
                                document.getElementById('loginModal').style.display = "block";
                                document.getElementById('api_response2').textContent = '';
                                return;
                            }

                            //console.log('Token is ' + token);

                            // Use the access token
                            document.getElementById('api_response').textContent = '';
                            document.getElementById('api_response2').textContent = '';
                            document.getElementById('loginModal').style.display = "none";
                            resolve(token);
                        }
                    );
                });

Now, if I want to embed this application for all users and not just me what would I do? If I remove myself from Data Access policies within the time series environment I get a 404 saying resource not found. Can I use any other authentication method?

Can I simply use app registration itself with client Id and secret?

Alberto Vega
  • 532
  • 4
  • 13
MAK
  • 1,250
  • 21
  • 50
  • Hi can you please share more detail if possible about the scenario you are trying to enable? Who are your users? Is this a business to business scenario? – Alberto Vega Jun 18 '19 at 01:08
  • Have you seen this guide? https://learn.microsoft.com/en-us/azure/active-directory/develop/ – Alberto Vega Jun 18 '19 at 01:22
  • @AlbertoVega-MSFT I'm trying to use client credentials grant flow in JS instead of ADAL. I want the app registration to impersonate the user instead of prompting the user to log in. – MAK Jun 18 '19 at 01:58
  • By the way is there a specific reason why you do not want to use the ADAL library? – Alberto Vega Jun 19 '19 at 19:13

1 Answers1

2

Presently you are following the best mechanism for creating a client-only application on Time Series Insights. Ideally you would add all users that you intend to use the application to the data access policies for that environment. If you had a server side, you could issue requests using a service principal, but that would likely complicate your architecture. A more convenient solution would be adding an AAD group to the data access policies, but it's not presently supported...That feature is being tracked in the product backlog. Hopefully that helps!

Matt Darsney
  • 36
  • 3
  • I'm also happy to discuss your scenario if you are building a custom app on Time Series Insights...I maintain the JS SDK aka [tsiclient](https://github.com/Microsoft/tsiclient) – Matt Darsney Jun 19 '19 at 00:57
  • Thank you for your comment. Is it possible to use client credentials to embed time series? – MAK Jun 19 '19 at 12:13
  • I'm not familiar with that configuration for any app really, but would be interested to learn about it if you have an example. I'm not sure that a client application can be added to a data access policy, or if a client application as an entity can even jump through the necessary oauth hoops to get an idtoken + access token for TSI. The most common configuration for allowing access for a wide range of users would be granting access to an application for an entire tenant, and proxying calls from the web application to the server side where requests are made on behalf of a service principal – Matt Darsney Jun 19 '19 at 19:53
  • Is there any update on this case - I want to have a Service Principal without a backend. Security isnt an issue! – codlix Jan 16 '20 at 21:46