Bug in Power Query OAuth handshake

All replies

• 

  

  0

  Sign in to vote

  I confess that I haven't taken any time to absorb your traces. But right now, Power Query doesn't support arbitrary sites using OAuth; only a small number of whitelisted sites will work with it. We're quite aware of the need to provide more generalized OAuth support, but while I would personally describe it as "high priority" we don't currently have a timeframe for implementing it.

  Sunday, December 8, 2013 3:56 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Hi Curt,

  I was about to respond "What?" when I saw "OAuth" in you response.

  Please re-read my post and replace OAuth with OData. Sorry I always confuse those when typing. 

  "I'd like to report a bug in the OData HTTP handshake."

  Sunday, December 8, 2013 4:18 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Thanks for clarifying!

  This looks like it's not specific to OData; we don't let basic auth credentials follow HTTP redirects. This is actually the built-in behavior for the BCL's HttpWebRequest class. As there may be security implications for forwarding credentials to a new destination, I don't know how quickly we'll be able to resolve this.

  In any event, I've filed a bug.
  

  • Edited by Curt Hagenlocher Sunday, December 8, 2013 4:09 PM
  • Proposed as answer by Curt Hagenlocher Sunday, December 8, 2013 4:09 PM

  Sunday, December 8, 2013 3:00 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Thanks. There is a work-around I wanted to share. One can on the server-side associate the auth sent in #3 with the URL sent in #4
  

  Sunday, December 8, 2013 5:36 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Workaround sort of works. After further reflection, I take it back that it is a bug. The reason that PQ behaves differently from a browser is that the browser is stateless where the URL is involved. It goes where redirected and stays there. But in the PQ OData handshake, PQ has stored the original URL entered by the user and that is the URL it is going to use - regardless of redirects.

  Sunday, December 8, 2013 6:26 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Well, PQ stores the credentials for a given URL in your user profile. The bug here is that it should prompt you for additional credentials if necessary. That is, if you initially specified that the credentials you enter should apply to everything underneath http://foo.com, then a redirect to http://foo.com/baz should use those same credentials while a redirect to http://bar.com/baz should ask for new credentials. This may seem a little more unwieldy than necessary, but it achieves the twin goals of 1) making this scenario work and 2) always letting the user know where their credentials are being forwarded.

  Sunday, December 8, 2013 8:22 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  You are right - there is a credentials bug.  I had specified with the radio that the credentials apply to root (http://foo.com in your example). 

  As for the redirect, which is a different issue, the ideal would be that if the service URL was a redirect that Power Query would reflect this redirect in the OData.Feed() code generated. So I'll call that a feature request and not a bug.

  Thanks,

  Chris

  • Marked as answer by Miguel.LlopisMicrosoft employee Monday, December 9, 2013 4:44 PM

  Monday, December 9, 2013 12:08 AM

  Reply

  |

  Quote