// The following code is based on JwtTokenValidation.AuthenticateRequest
private async Task <ClaimsIdentity> JwtTokenValidation_AuthenticateRequestAsync(Activity activity, string authHeader, ServiceClientCredentialsFactory credentialFactory, AuthenticationConfiguration authConfiguration, HttpClient httpClient, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(authHeader))
{
var isAuthDisabled = await credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false);
if (!isAuthDisabled)
{
// No Auth Header. Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
}
// Check if the activity is for a skill call and is coming from the Emulator.
if (activity.ChannelId == Channels.Emulator && activity.Recipient?.Role == RoleTypes.Skill)
{
// Return an anonymous claim with an anonymous skill AppId
return(SkillValidation.CreateAnonymousSkillClaim());
}
// In the scenario where Auth is disabled, we still want to have the
// IsAuthenticated flag set in the ClaimsIdentity. To do this requires
// adding in an empty claim.
return(new ClaimsIdentity(new List <Claim>(), AuthenticationConstants.AnonymousAuthType));
}
// Validate the header and extract claims.
var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, credentialFactory, activity.ChannelId, authConfiguration, activity.ServiceUrl, httpClient, cancellationToken).ConfigureAwait(false);
AppCredentials.TrustServiceUrl(activity.ServiceUrl);
return(claimsIdentity);
}
public override async Task <AuthenticateRequestResult> AuthenticateStreamingRequestAsync(string authHeader, string channelIdHeader, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(channelIdHeader) && !await _credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
throw new UnauthorizedAccessException();
}
var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, channelIdHeader, null, cancellationToken).ConfigureAwait(false);
var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId
});
}
/// <summary>
/// Generates the appropriate callerId to write onto the activity, this might be null.
/// </summary>
/// <param name="credentialFactory">A <see cref="ServiceClientCredentialsFactory"/> to use.</param>
/// <param name="claimsIdentity">The inbound claims.</param>
/// <param name="callerId">The default callerId to use if this is not a skill.</param>
/// <param name="cancellationToken">A cancellation token.</param>
/// <returns>The callerId, this might be null.</returns>
protected internal async Task <string> GenerateCallerIdAsync(ServiceClientCredentialsFactory credentialFactory, ClaimsIdentity claimsIdentity, string callerId, CancellationToken cancellationToken)
{
// Is the bot accepting all incoming messages?
if (await credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
// Return null so that the callerId is cleared.
return(null);
}
// Is the activity from another bot?
return(SkillValidation.IsSkillClaim(claimsIdentity.Claims)
? $"{CallerIdConstants.BotToBotPrefix}{JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims)}"
: callerId);
}
// The following code is based on JwtTokenValidation.AuthenticateRequest
private async Task <ClaimsIdentity> JwtTokenValidation_AuthenticateRequestAsync(Activity activity, string authHeader, ServiceClientCredentialsFactory credentialFactory, AuthenticationConfiguration authConfiguration, HttpClient httpClient, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(authHeader))
{
var isAuthDisabled = await credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false);
if (isAuthDisabled)
{
// In the scenario where Auth is disabled, we still want to have the
// IsAuthenticated flag set in the ClaimsIdentity. To do this requires
// adding in an empty claim.
return(new ClaimsIdentity(new List <Claim>(), "anonymous"));
}
// No Auth Header. Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
}
var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, credentialFactory, activity.ChannelId, authConfiguration, activity.ServiceUrl, httpClient, cancellationToken).ConfigureAwait(false);
AppCredentials.TrustServiceUrl(activity.ServiceUrl);
return(claimsIdentity);
}
public Task <bool> IsAuthenticationDisabledAsync()
{
return(_credentialFactory.IsAuthenticationDisabledAsync(CancellationToken.None));
}
