private async Task <ClaimsIdentity> RunTestCase(IConfigurationRetriever <IDictionary <string, HashSet <string> > > configRetriever, string[] requiredEndorsements = null) { var tokenExtractor = new JwtTokenExtractor( emptyClient, EmulatorValidation.ToBotFromEmulatorTokenValidationParameters, AuthenticationConstants.ToBotFromEmulatorOpenIdMetadataUrl, AuthenticationConstants.AllowedSigningAlgorithms, new ConfigurationManager <IDictionary <string, HashSet <string> > >("http://test", configRetriever)); string header = $"Bearer {await new MicrosoftAppCredentials(EnvironmentConfig.TestAppId(), EnvironmentConfig.TestAppPassword()).GetTokenAsync()}"; return(await tokenExtractor.GetIdentityAsync(header, "testChannel", requiredEndorsements)); }
private static Task <ClaimsIdentity> BuildExtractorAndValidateToken(X509Certificate2 cert, TokenValidationParameters validationParameters = null) { // Custom validation parameters that allow us to test the extractor logic var tokenValidationParams = validationParameters ?? CreateTokenValidationParameters(cert); // Build Jwt extractor to be tested var tokenExtractor = new JwtTokenExtractor( Client, tokenValidationParams, "https://login.botframework.com/v1/.well-known/openidconfiguration", AuthenticationConstants.AllowedSigningAlgorithms); var token = CreateTokenForCertificate(cert); return(tokenExtractor.GetIdentityAsync($"Bearer {token}", "test")); }
public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next) { MicrosoftAppId = MicrosoftAppId ?? BotOptions?.Authentication?.MicrosoftAppId ?? string.Empty; if (Debugger.IsAttached && String.IsNullOrEmpty(MicrosoftAppId)) { // then auth is disabled await next(); return; } var tokenExtractor = new JwtTokenExtractor(JwtConfig.GetToBotFromChannelTokenValidationParameters(MicrosoftAppId), OpenIdConfigurationUrl); var request = context.HttpContext.GetHttpRequestMessage(); var identity = await tokenExtractor.GetIdentityAsync(request); // No identity? If we're allowed to, fall back to MSA // This code path is used by the emulator if (identity == null && !DisableSelfIssuedTokens) { tokenExtractor = new JwtTokenExtractor(JwtConfig.ToBotFromMSATokenValidationParameters, JwtConfig.ToBotFromMSAOpenIdMetadataUrl); identity = await tokenExtractor.GetIdentityAsync(request); // Check to make sure the app ID in the token is ours if (identity != null) { // If it doesn't match, throw away the identity if (tokenExtractor.GetBotIdFromClaimsIdentity(identity) != MicrosoftAppId) { identity = null; } } } // Still no identity? Fail out. if (identity == null) { var host = request.RequestUri.DnsSafeHost; context.HttpContext.Response.Headers.Add("WWW-Authenticate", $"Bearer realm=\"{host}\""); context.Result = new StatusCodeResult(StatusCodes.Status401Unauthorized); return; } var activity = context.ActionArguments.Select(t => t.Value).OfType <Activity>().FirstOrDefault(); if (activity != null) { MicrosoftAppCredentials.TrustServiceUrl(activity.ServiceUrl); } else { // No model binding to activity check if we can find JObject or JArray var obj = context.ActionArguments.Where(t => t.Value is JObject || t.Value is JArray).Select(t => t.Value).FirstOrDefault(); if (obj != null) { Activity[] activities = (obj is JObject) ? new Activity[] { ((JObject)obj).ToObject <Activity>() } : ((JArray)obj).ToObject <Activity[]>(); foreach (var jActivity in activities) { if (!string.IsNullOrEmpty(jActivity.ServiceUrl)) { MicrosoftAppCredentials.TrustServiceUrl(jActivity.ServiceUrl); } } } else { Trace.TraceWarning("No activity in the Bot Authentication Action Arguments"); } } var principal = new ClaimsPrincipal(identity); Thread.CurrentPrincipal = principal; // Inside of ASP.NET this is required if (context.HttpContext != null) { context.HttpContext.User = principal; } await next(); }
private static async Task <Response> GetResponse(INancyModule module, NancyContext ctx) { MicrosoftAppId = MicrosoftAppId ?? ConfigurationManager.AppSettings[MicrosoftAppIdSettingName ?? "MicrosoftAppId"]; if (Debugger.IsAttached && string.IsNullOrEmpty(MicrosoftAppId)) { // then auth is disabled return(null); } var tokenExtractor = new JwtTokenExtractor(JwtConfig.GetToBotFromChannelTokenValidationParameters(MicrosoftAppId), OpenIdConfigurationUrl); var identity = await tokenExtractor.GetIdentityAsync(ctx.Request.Headers.Authorization); // No identity? If we're allowed to, fall back to MSA // This code path is used by the emulator if (identity == null && !DisableSelfIssuedTokens) { tokenExtractor = new JwtTokenExtractor(JwtConfig.ToBotFromMSATokenValidationParameters, JwtConfig.ToBotFromMSAOpenIdMetadataUrl); identity = await tokenExtractor.GetIdentityAsync(ctx.Request.Headers.Authorization); // Check to make sure the app ID in the token is ours if (identity != null) { // If it doesn't match, throw away the identity if (tokenExtractor.GetBotIdFromClaimsIdentity(identity) != MicrosoftAppId) { identity = null; } } } // Still no identity? Fail out. if (identity == null) { //https://github.com/Microsoft/BotBuilder/blob/master/CSharp/Library/Microsoft.Bot.Connector/JwtTokenExtractor.cs#L87 //tokenExtractor.GenerateUnauthorizedResponse(actionContext); return(new Response { StatusCode = HttpStatusCode.Unauthorized, Headers = new Dictionary <string, string>() { { "WWW-Authenticate", $"Bearer realm=\"{ctx.Request.Url.HostName}\"" } } }); } var activity = module.Bind <Activity>(); if (!string.IsNullOrWhiteSpace(activity.ServiceUrl)) { MicrosoftAppCredentials.TrustServiceUrl(activity.ServiceUrl); } else { Trace.TraceWarning("No activity in the Bot Authentication Action Arguments"); } ctx.CurrentUser = new ClaimsPrincipal(identity); return(null); }