0

We have a Ruby on Rails application and we use the Omniauth gem to set up OAuth access for our users to several APIs. The Microsoft Graph API is one of these. Now we want to add the Microsoft Power BI API.

We usually use a Omniauth "plugin" gem specific to the API. These gems facilitate the process specific for that API by calling specific API methods and using specific attributes in the data provided but the process is the same for all these API's. For Power BI no such plugin gem is available.

The generic process that Omniauth uses to create OAuth access (create an access token) for a user is

  1. request the access token from the API and
  2. request information of the user (using that access token)
  3. create a user specific record containing an identifier for that person (uid), general information of the user (email/name) and the access token

The problem we run into occurs because the Power BI API does not seem to have a method to retrieve user information. This method is available on the Microsoft Graph API (https://graph.microsoft.com/v1.0/me) so we tried using that. This leads to the following two problems:

  1. You need to specify a scope on the API requests and that scope has to also be defined on the app on the Microsoft Azure Portal (AAD). The key and secret of that app is also used on the request to the API. It is possible to add a scope for the Graph API and PowerBI API on the app. However, when combining the scopes of these API's when calling the PowerBI API leads to exceptions
  2. After getting an access token from the Power BI API using a scope that is limited to the Power BI API it is not possible to request user information from the Graph API with that access token

So we see no possibility to finish the Omniauth process to create user specific records with all the data that is needed to do subsequent Oauth authorised API calls for those users.

How can we

  • either get user identifying information from the Power BI API,
  • or get the required information from the Graph API using the access token granted by the Power BI API
  • or is there another way that we can get the Omniauth approach to work for the Power BI API?
Bob Groeneveld
  • 903
  • 1
  • 9
  • 19

1 Answers1

1

I have no experience with either the Microsoft Graph API or the Microsoft Power BI API, so these are general thoughts on how to solve this using OAuth.

How can you get user identifying information from the Power BI API?

You can't. As you said, it doesn't exist: "the Power BI API does not seem to have a method to retrieve user information"

How can we get the required information from the Graph API using the access token granted by the Power BI API

Again, you can't. This is a dead end as the the PowerBI API will not accept a token with the combined scopes.

Is there another way that we can get the Omniauth approach to work for the Power BI API?

Since you can't combine the scopes, I think you will need to request two access tokens, one for each API. So, the thing to be solved here is how do you execute two OAuth sequences in the context of one request? Writing a custom OmniAuth strategy is one approach, but then you lose all the value in the "plugin" gem. I would try to still use the "plugin" gem, but in your callbacks controller, execute a redirect to the second OmniAuth route to step through the OAuth sequence for the Power BI API. You'd need to find an OmniAuth OAuth2 gem that's generic enough to use for the Power BI API (this could use the skip_info option since an info endpoint doesn't exist). You'd also need to persist the OmniAuth hash from the Graph API authentication in a different location, so it's not overwritten when you authenticate to the Power BI API.

Jason S.
  • 485
  • 2
  • 10