I used below article to embed PowerBI reports into my WebApp, but there is a security issue with this method. End users have access to the AccessToken we provide to PowerBI API, by having that, they have access to all other stuff on our account!
Is there any way to get the reports on server side and show the them to end users?
How are you generating the access token?
When I have used the above method that you are referencing, my application is authenticating with Azure AD and I have to specifically SHARE the report/dashboard I want the user to have access to. This means that when the user authenticates they would only ever be able to use the generated access token to see things they already have access to if they went to powerbi.com directly.
I am not sure exactly how you are setting this up but if you are concerned about them having access to everything else in the account it would seem to me you are generating this access token with some master user account and not using the logged in users credentials to generate the access token from AAD.
If this is what you are doing you may want to look at the new Power BI Embedded service as this might be a better direction to go in your scenario. I myself am moving to use the power bi embedded service so I do not have to rely on all users who need access to reports having a power bi account. With this I am also in control of who can see what report without having to specifically share the report through powerbi.com.
Hope this helps.
