For the app owns data scenario the web app is dependent on
the Power BI code module to generate the tokens needed to authenticate against the Power BI Service when embedding reports. For the user owns
data scenario the web app triggers authentication agains Azure AD (AAD) on page load and generates an access token for the user when selecting a report
which it then uses to authenticate against the Power BI Service. The
adal.js library is used to handle authentication agains AAD.
Both embedded tokens generated by the code module and access token from AAD have a limited lifetime. To ensure a report continues working over time, a timer is set once the report is embedded that silently generates a new token 2 minutes before the token expires. For the app owns data scenario an ajax call is made to the code module to get a new token, while in the user owns data scenario a new token is generated by performing an authorize request agains AAD in a hidden iframe.
The web app,
dw-powerbi-show-report, is available in Pims R4 Dev here.
The available reports are loaded from the data source
dsPowerBIReports which looads data from
There is another web app that let's a user register which reports should be available for embedding in this web app. A name for the report, which is displayed in this web apps dropdown, as well as an embed URL for the report from Power BI Service is registered. The embed URL for a report can be found in the Power BI Service by opening the report and selecting File --> Embed. The embed URL is the URL displayed in the first text box.
The web app for adding reports for embedding,
dw-powerbi-add-report, is available in Pims R4 Dev here.
There is a variable,
appOwnsData, at the top of the Main Script for the web app that controls which embedding scenario the web app uses. Set it
true for app owns data and
false for user owns data.
For the app owns data scenario the code module will also need to be configured. See the Power Bi code module documentation for more information.
When generating embedded tokens for the app owns data scenario, the tokens are generated for a specific report within a specific workspace.
If the embed url for the report contains a
groupId parameter, the value of this parameter will be used as the
groupId when generating an embedded token.
If not, the web app will assume the report is published to the workspace with the id specified in the variable
defaultGroupId, located in the web apps Main Script,
and use this id when generating a token.
For the user owns data scenario Azure AD authentication will need to be configured for the web app.
To be able to log users in to Azure AD the web app must be registered as an applicaiton within Azure AD. Details for how to do this can be found here.
When the application is created in Azure AD it must be configured as follows:
Once the application is registered and configured in Azure AD you need to copy the Application (client) ID from the Overview pane as it is needed to configure the web app.
At the top of the web apps Main Script there is a variable,
config, that is used to configure the Azure AD authentication.
config.clientId to the Application (client) ID for the application registered in Azure AD.
true, the web app will attempt to trigger the Azure AD authentication in a popup window. If set to
false, the web app will trigger the authentication by redirecting to Azure AD. This is also the fallback behavior if popups are blocked
for the web apps domain.