Problem statement
Problem
Embedded Fabric apps using Rayfin auth cannot call Fabric APIs (like Data Agent) because Rayfin tokens are scoped to the Rayfin API audience, not https://api.fabric.microsoft.com.
When a user authenticates via Fabric SSO (initEmbeddedAuth), Rayfin validates their identity and issues Rayfin-scoped tokens. These tokens work great for Rayfin's GraphQL data API, but cannot be used to call downstream Fabric services like:
- Data Agent API (
/v1/workspaces/{ws}/dataagents/{da}/aiassistant/openai/...)
- Other Fabric REST APIs that require
https://api.fabric.microsoft.com/.default scope
Current workarounds (all broken for embedded scenarios)
| Approach |
Why it fails |
MSAL ssoSilent() |
Times out — third-party cookies blocked in iframes |
MSAL popup (loginPopup) |
Blocked — login.microsoftonline.com refuses to load in popups opened from iframes (ERR_BLOCKED_BY_RESPONSE) |
| Fabric embed SDK |
Only supports DAX queries via postMessage, not arbitrary Fabric API calls |
The user is already authenticated in Fabric (they're viewing the embedded app), but there's no way to obtain a token for Fabric APIs.
Environment
@microsoft/rayfin-client: 1.x@microsoft/rayfin-auth-provider-fabric: 1.32.0- App hosted in Fabric portal as embedded item
- Browser: Edge/Chrome (iframe context)
Proposed solution
Proposed solution
Add OBO (On-Behalf-Of) token exchange support to acquire downstream Fabric tokens from the Rayfin backend.
Option A: Client-side method to request downstream token
// After initEmbeddedAuth() succeeds
const fabricToken = await client.auth.acquireTokenForResource(
"https://api.fabric.microsoft.com/.default"
);
// Use token to call Fabric APIs directly
const response = await fetch("https://api.fabric.microsoft.com/v1/...", {
headers: { Authorization: `Bearer ${fabricToken}` }
});Option B: Backend proxy endpoint
// Rayfin backend performs OBO exchange and forwards the request
const response = await client.fabric.proxy({
url: "https://api.fabric.microsoft.com/v1/workspaces/{ws}/dataagents/{da}/aiassistant/openai/assistants",
method: "POST",
body: { model: "not-used" }
});Option B has the advantage of keeping Fabric tokens server-side and potentially caching them.
Use case
Building an embedded dashboard app in Fabric that includes a chatbot powered by Fabric Data Agent. The dashboard already uses Rayfin for auth and displays data via DAX queries. We want the chatbot to query the same data using the Data Agent's natural language interface.
Current state: User is authenticated via Fabric SSO → Rayfin session is active → Dashboard loads data successfully via DAX → But cannot call Data Agent API because we can't get a Fabric token.
Alternatives considered
No response
Additional context
Additional context
The Fabric embed SDK (@microsoft/fabric-app-data-embed-client) uses postMessage to communicate with the parent Fabric portal, which holds the actual Fabric token. This works for DAX queries because the parent proxies them. For arbitrary Fabric API calls, there's no equivalent mechanism.
An OBO flow on the Rayfin backend would solve this cleanly — the backend can exchange the Rayfin session for a Fabric token using Azure AD's OBO grant, then either return it to the client or proxy the request.
Problem statement
Problem
Embedded Fabric apps using Rayfin auth cannot call Fabric APIs (like Data Agent) because Rayfin tokens are scoped to the Rayfin API audience, not
https://api.fabric.microsoft.com.When a user authenticates via Fabric SSO (
initEmbeddedAuth), Rayfin validates their identity and issues Rayfin-scoped tokens. These tokens work great for Rayfin's GraphQL data API, but cannot be used to call downstream Fabric services like:/v1/workspaces/{ws}/dataagents/{da}/aiassistant/openai/...)https://api.fabric.microsoft.com/.defaultscopeCurrent workarounds (all broken for embedded scenarios)
ssoSilent()loginPopup)login.microsoftonline.comrefuses to load in popups opened from iframes (ERR_BLOCKED_BY_RESPONSE)postMessage, not arbitrary Fabric API callsThe user is already authenticated in Fabric (they're viewing the embedded app), but there's no way to obtain a token for Fabric APIs.
Environment
@microsoft/rayfin-client: 1.x@microsoft/rayfin-auth-provider-fabric: 1.32.0Proposed solution
Proposed solution
Add OBO (On-Behalf-Of) token exchange support to acquire downstream Fabric tokens from the Rayfin backend.
Option A: Client-side method to request downstream token
Option B: Backend proxy endpoint
Option B has the advantage of keeping Fabric tokens server-side and potentially caching them.
Use case
Building an embedded dashboard app in Fabric that includes a chatbot powered by Fabric Data Agent. The dashboard already uses Rayfin for auth and displays data via DAX queries. We want the chatbot to query the same data using the Data Agent's natural language interface.
Current state: User is authenticated via Fabric SSO → Rayfin session is active → Dashboard loads data successfully via DAX → But cannot call Data Agent API because we can't get a Fabric token.
Alternatives considered
No response
Additional context
Additional context
The Fabric embed SDK (
@microsoft/fabric-app-data-embed-client) usespostMessageto communicate with the parent Fabric portal, which holds the actual Fabric token. This works for DAX queries because the parent proxies them. For arbitrary Fabric API calls, there's no equivalent mechanism.An OBO flow on the Rayfin backend would solve this cleanly — the backend can exchange the Rayfin session for a Fabric token using Azure AD's OBO grant, then either return it to the client or proxy the request.