/// <summary>
/// Authenticates the auth header token from the request.
/// </summary>
private static async Task <ClaimsIdentity> AuthenticateTokenAsync(string authHeader, ICredentialProvider credentials, IChannelProvider channelProvider, string channelId, AuthenticationConfiguration authConfig, string serviceUrl, HttpClient httpClient)
{
if (SkillValidation.IsSkillToken(authHeader))
{
return(await SkillValidation.AuthenticateChannelToken(authHeader, credentials, channelProvider, httpClient, channelId, authConfig).ConfigureAwait(false));
}
if (EmulatorValidation.IsTokenFromEmulator(authHeader))
{
return(await EmulatorValidation.AuthenticateEmulatorToken(authHeader, credentials, channelProvider, httpClient, channelId, authConfig).ConfigureAwait(false));
}
if (channelProvider == null || channelProvider.IsPublicAzure())
{
// No empty or null check. Empty can point to issues. Null checks only.
if (serviceUrl != null)
{
return(await ChannelValidation.AuthenticateChannelToken(authHeader, credentials, serviceUrl, httpClient, channelId, authConfig).ConfigureAwait(false));
}
return(await ChannelValidation.AuthenticateChannelToken(authHeader, credentials, httpClient, channelId, authConfig).ConfigureAwait(false));
}
if (channelProvider.IsGovernment())
{
return(await GovernmentChannelValidation.AuthenticateChannelToken(authHeader, credentials, serviceUrl, httpClient, channelId, authConfig).ConfigureAwait(false));
}
return(await EnterpriseChannelValidation.AuthenticateChannelToken(authHeader, credentials, channelProvider, serviceUrl, httpClient, channelId, authConfig).ConfigureAwait(false));
}
// The following code is based on JwtTokenValidation.AuthenticateRequest
private async Task <ClaimsIdentity> JwtTokenValidation_AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(authHeader))
{
var isAuthDisabled = await _credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false);
if (!isAuthDisabled)
{
// No Auth Header. Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
}
// Check if the activity is for a skill call and is coming from the Emulator.
if (activity.ChannelId == Channels.Emulator && activity.Recipient?.Role == RoleTypes.Skill)
{
// Return an anonymous claim with an anonymous skill AppId
return(SkillValidation.CreateAnonymousSkillClaim());
}
// In the scenario where Auth is disabled, we still want to have the
// IsAuthenticated flag set in the ClaimsIdentity. To do this requires
// adding in an empty claim.
return(new ClaimsIdentity(new List <Claim>(), AuthenticationConstants.AnonymousAuthType));
}
// Validate the header and extract claims.
var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, activity.ChannelId, activity.ServiceUrl, cancellationToken).ConfigureAwait(false);
return(claimsIdentity);
}
private async Task JwtTokenValidation_ValidateClaimsAsync(IEnumerable <Claim> claims)
{
if (_authConfiguration.ClaimsValidator != null)
{
// Call the validation method if defined (it should throw an exception if the validation fails)
var claimsList = claims as IList <Claim> ?? claims.ToList();
await _authConfiguration.ClaimsValidator.ValidateClaimsAsync(claimsList).ConfigureAwait(false);
}
else if (SkillValidation.IsSkillClaim(claims))
{
throw new UnauthorizedAccessException("ClaimsValidator is required for validation of Skill Host calls.");
}
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation_AuthenticateRequestAsync(activity, authHeader, cancellationToken).ConfigureAwait(false);
var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false);
var connectorFactory = new ConnectorFactoryImpl(BuiltinBotFrameworkAuthentication.GetAppId(claimsIdentity), _toChannelFromBotOAuthScope, _toChannelFromBotLoginUrl, _validateAuthority, _credentialFactory, _httpClientFactory, _logger);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId, ConnectorFactory = connectorFactory
});
}
private async Task <ClaimsIdentity> JwtTokenValidation_AuthenticateTokenAsync(string authHeader, string channelId, string serviceUrl, CancellationToken cancellationToken)
{
if (SkillValidation.IsSkillToken(authHeader))
{
return(await SkillValidation_AuthenticateChannelTokenAsync(authHeader, channelId, cancellationToken).ConfigureAwait(false));
}
if (EmulatorValidation.IsTokenFromEmulator(authHeader))
{
return(await EmulatorValidation_AuthenticateEmulatorTokenAsync(authHeader, channelId, cancellationToken).ConfigureAwait(false));
}
return(await GovernmentChannelValidation_AuthenticateChannelTokenAsync(authHeader, serviceUrl, channelId, cancellationToken).ConfigureAwait(false));
}
/// <inheritdoc/>
public override Task ValidateClaimsAsync(IList <Claim> claims)
{
if (SkillValidation.IsSkillClaim(claims))
{
// Check that the appId claim in the skill request is in the list of skills configured for this bot.
var appId = JwtTokenValidation.GetAppIdFromClaims(claims);
if (!_allowedSkills.Contains(appId))
{
throw new UnauthorizedAccessException($"Received a request from an application with an appID of \"{appId}\". To enable requests from this skill, add the skill to your configuration file.");
}
}
return(Task.CompletedTask);
}
private async Task <ClaimsIdentity> JwtTokenValidation_AuthenticateTokenAsync(string authHeader, ServiceClientCredentialsFactory credentialFactory, string channelId, AuthenticationConfiguration authConfiguration, string serviceUrl, HttpClient httpClient, CancellationToken cancellationToken)
{
if (SkillValidation.IsSkillToken(authHeader))
{
return(await SkillValidation_AuthenticateChannelTokenAsync(authHeader, credentialFactory, httpClient, channelId, authConfiguration, cancellationToken).ConfigureAwait(false));
}
if (EmulatorValidation.IsTokenFromEmulator(authHeader))
{
return(await EmulatorValidation_AuthenticateEmulatorTokenAsync(authHeader, credentialFactory, httpClient, channelId, authConfiguration, cancellationToken).ConfigureAwait(false));
}
return(await GovernmentChannelValidation_AuthenticateChannelTokenAsync(authHeader, credentialFactory, serviceUrl, httpClient, channelId, authConfiguration, cancellationToken).ConfigureAwait(false));
}
/// <summary>
/// Generates the appropriate callerId to write onto the activity, this might be null.
/// </summary>
/// <param name="credentialFactory">A <see cref="ServiceClientCredentialsFactory"/> to use.</param>
/// <param name="claimsIdentity">The inbound claims.</param>
/// <param name="callerId">The default callerId to use if this is not a skill.</param>
/// <param name="cancellationToken">A cancellation token.</param>
/// <returns>The callerId, this might be null.</returns>
protected internal async Task <string> GenerateCallerIdAsync(ServiceClientCredentialsFactory credentialFactory, ClaimsIdentity claimsIdentity, string callerId, CancellationToken cancellationToken)
{
// Is the bot accepting all incoming messages?
if (await credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
// Return null so that the callerId is cleared.
return(null);
}
// Is the activity from another bot?
return(SkillValidation.IsSkillClaim(claimsIdentity.Claims)
? $"{CallerIdConstants.BotToBotPrefix}{JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims)}"
: callerId);
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation.AuthenticateRequest(activity, authHeader, new DelegatingCredentialProvider(_credentialFactory), GetChannelProvider(), _authConfiguration, _authHttpClient).ConfigureAwait(false);
var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false);
var connectorFactory = new ConnectorFactoryImpl(GetAppId(claimsIdentity), _toChannelFromBotOAuthScope, _loginEndpoint, true, _credentialFactory, _httpClientFactory, _logger);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId, ConnectorFactory = connectorFactory
});
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation_AuthenticateRequestAsync(activity, authHeader, _credentialFactory, _authConfiguration, _httpClient, cancellationToken).ConfigureAwait(false);
var scope = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, cancellationToken).ConfigureAwait(false);
var appId = BuiltinBotFrameworkAuthentication.GetAppId(claimsIdentity);
var credentials = await _credentialFactory.CreateCredentialsAsync(appId, scope, _toChannelFromBotLoginUrl, _validateAuthority, cancellationToken).ConfigureAwait(false);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Credentials = credentials, Scope = scope, CallerId = callerId
});
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation.AuthenticateRequest(activity, authHeader, new DelegatingCredentialProvider(_credentialFactory), GetChannelProvider(), _authConfiguration, _httpClient).ConfigureAwait(false);
var scope = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, cancellationToken).ConfigureAwait(false);
var appId = GetAppId(claimsIdentity);
var credentials = await _credentialFactory.CreateCredentialsAsync(appId, scope, _loginEndpoint, true, cancellationToken).ConfigureAwait(false);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Credentials = credentials, Scope = scope, CallerId = callerId
});
}
public override async Task <AuthenticateRequestResult> AuthenticateStreamingRequestAsync(string authHeader, string channelIdHeader, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(channelIdHeader) && !await _credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
throw new UnauthorizedAccessException();
}
var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, channelIdHeader, null, cancellationToken).ConfigureAwait(false);
var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId
});
}
public override async Task <ClaimsIdentity> AuthenticateChannelRequestAsync(string authHeader, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(authHeader))
{
var isAuthDisabled = await new DelegatingCredentialProvider(_credentialsFactory).IsAuthenticationDisabledAsync().ConfigureAwait(false);
if (!isAuthDisabled)
{
// No auth header. Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
}
// In the scenario where auth is disabled, we still want to have the
// IsAuthenticated flag set in the ClaimsIdentity.
// To do this requires adding in an empty claim.
// Since ChannelServiceHandler calls are always a skill callback call, we set the skill claim too.
return(SkillValidation.CreateAnonymousSkillClaim());
}
return(await JwtTokenValidation
.ValidateAuthHeader(authHeader, new DelegatingCredentialProvider(_credentialsFactory), GetChannelProvider(), "unknown", _authConfiguration)
.ConfigureAwait(false));
}
/// <summary>
/// Validate a list of claims and throw an exception if it fails.
/// </summary>
/// <param name="claims">The list of claims to validate.</param>
/// <returns>True if the validation is successful, false if not.</returns>
public override Task ValidateClaimsAsync(IList <Claim> claims)
{
if (claims == null)
{
throw new ArgumentNullException(nameof(claims));
}
// If _allowedCallers contains an "*", allow all callers.
if (SkillValidation.IsSkillClaim(claims) &&
!_allowedCallers.Contains("*"))
{
// Check that the appId claim in the skill request is in the list of callers configured for this bot.
var applicationId = JwtTokenValidation.GetAppIdFromClaims(claims);
if (!_allowedCallers.Contains(applicationId))
{
throw new UnauthorizedAccessException(
$"Received a request from a bot with an app ID of \"{applicationId}\". To enable requests from this caller, add the app ID to the configured set of allowedCallers.");
}
}
return(Task.CompletedTask);
}
/// <summary>
/// Authenticates the request and adds the activity's <see cref="Activity.ServiceUrl"/>
/// to the set of trusted URLs.
/// </summary>
/// <param name="activity">The activity.</param>
/// <param name="authHeader">The authentication header.</param>
/// <param name="credentials">The bot's credential provider.</param>
/// <param name="provider">The bot's channel service provider.</param>
/// <param name="authConfig">The optional authentication configuration.</param>
/// <param name="httpClient">The HTTP client.</param>
/// <returns>A task that represents the work queued to execute.</returns>
/// <remarks>If the task completes successfully, the result contains the claims-based
/// identity for the request.</remarks>
#pragma warning disable UseAsyncSuffix // Use Async suffix (can't change this without breaking binary compat)
public static async Task <ClaimsIdentity> AuthenticateRequest(IActivity activity, string authHeader, ICredentialProvider credentials, IChannelProvider provider, AuthenticationConfiguration authConfig, HttpClient httpClient = null)
#pragma warning restore UseAsyncSuffix // Use Async suffix
{
if (authConfig == null)
{
throw new ArgumentNullException(nameof(authConfig));
}
if (string.IsNullOrWhiteSpace(authHeader))
{
var isAuthDisabled = await credentials.IsAuthenticationDisabledAsync().ConfigureAwait(false);
if (!isAuthDisabled)
{
// No Auth Header and Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
}
// Check if the activity is for a skill call and is coming from the Emulator.
if (activity.ChannelId == Channels.Emulator && activity.Recipient?.Role == RoleTypes.Skill)
{
// Return an anonymous claim with an anonymous skill AppId
return(SkillValidation.CreateAnonymousSkillClaim());
}
// In the scenario where Auth is disabled, we still want to have the
// IsAuthenticated flag set in the ClaimsIdentity. To do this requires
// adding in an empty claim.
return(new ClaimsIdentity(new List <Claim>(), AuthenticationConstants.AnonymousAuthType));
}
// Validate the header and extract claims.
var claimsIdentity = await ValidateAuthHeader(authHeader, credentials, provider, activity.ChannelId, authConfig, activity.ServiceUrl, httpClient ?? _httpClient).ConfigureAwait(false);
AppCredentials.TrustServiceUrl(activity.ServiceUrl);
return(claimsIdentity);
}
