Ejemplo n.º 1
        /// <summary>
        /// Determines if a given Auth header is from the Bot Framework Emulator.
        /// </summary>
        /// <param name="authHeader">Bearer Token, in the "Bearer [Long String]" Format.</param>
        /// <returns>True, if the token was issued by the Emulator. Otherwise, false.</returns>
        public static bool IsTokenFromEmulator(string authHeader)
            if (!JwtTokenValidation.IsValidTokenFormat(authHeader))

            // We know is a valid token, split it and work with it:
            // [0] = "Bearer"
            // [1] = "[Big Long String]"
            var bearerToken = authHeader.Split(' ')[1];

            // Parse the Big Long String into an actual token.
            var token = new JwtSecurityToken(bearerToken);

            // Is there an Issuer?
            if (string.IsNullOrWhiteSpace(token.Issuer))
                // No Issuer, means it's not from the Emulator.

            // Is the token issues by a source we consider to be the emulator?
            if (!ToBotFromEmulatorTokenValidationParameters.ValidIssuers.Contains(token.Issuer))
                // Not a Valid Issuer. This is NOT a Bot Framework Emulator Token.

            // The Token is from the Bot Framework Emulator. Success!
Ejemplo n.º 2
        /// <summary>
        /// Checks if the given list of claims represents a skill.
        /// </summary>
        /// <remarks>
        /// A skill claim should contain:
        ///     An <see cref="AuthenticationConstants.VersionClaim"/> claim.
        ///     An <see cref="AuthenticationConstants.AudienceClaim"/> claim.
        ///     An <see cref="AuthenticationConstants.AppIdClaim"/> claim (v1) or an a <see cref="AuthenticationConstants.AuthorizedParty"/> claim (v2).
        /// And the appId claim should be different than the audience claim.
        /// When a channel (webchat, teams, etc.) invokes a bot, the <see cref="AuthenticationConstants.AudienceClaim"/>
        /// is set to <see cref="AuthenticationConstants.ToBotFromChannelTokenIssuer"/> but when a bot calls another bot,
        /// the audience claim is set to the appId of the bot being invoked.
        /// The protocol supports v1 and v2 tokens:
        /// For v1 tokens, the  <see cref="AuthenticationConstants.AppIdClaim"/> is present and set to the app Id of the calling bot.
        /// For v2 tokens, the  <see cref="AuthenticationConstants.AuthorizedParty"/> is present and set to the app Id of the calling bot.
        /// </remarks>
        /// <param name="claims">A list of claims.</param>
        /// <returns>True if the list of claims is a skill claim, false if is not.</returns>
        public static bool IsSkillClaim(IEnumerable <Claim> claims)
            var claimsList = claims.ToList();

            var version = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.VersionClaim);

            if (string.IsNullOrWhiteSpace(version?.Value))
                // Must have a version claim.

            var audience = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.AudienceClaim)?.Value;

            if (string.IsNullOrWhiteSpace(audience) || AuthenticationConstants.ToBotFromChannelTokenIssuer.Equals(audience, StringComparison.OrdinalIgnoreCase))
                // The audience is https://api.botframework.com and not an appId.

            var appId = JwtTokenValidation.GetAppIdFromClaims(claimsList);

            if (string.IsNullOrWhiteSpace(appId))

            // Skill claims must contain and app ID and the AppID must be different than the audience.
            return(appId != audience);
Ejemplo n.º 3
        public override Task ValidateClaimsAsync(IList <Claim> claims)
            if (claims == null)
                throw new ArgumentNullException(nameof(claims));

            if (!claims.Any())
                throw new UnauthorizedAccessException("ValidateClaimsAsync.claims parameter must contain at least one element.");

            if (SkillValidation.IsSkillClaim(claims))
                // if _allowedCallers has one item of '*', allow all parent bot calls and do not validate the appid from claims
                if (_allowedCallers.Count == 1 && _allowedCallers[0] == "*")

                // Check that the appId claim in the skill request is in the list of skills configured for this bot.
                var appId = JwtTokenValidation.GetAppIdFromClaims(claims).ToUpperInvariant();
                if (_allowedCallers.Contains(appId))

                throw new UnauthorizedAccessException($"Received a request from a bot with an app ID of \"{appId}\". To enable requests from this caller, add the app ID to your configuration file.");

            throw new UnauthorizedAccessException($"ValidateClaimsAsync called without a Skill claim in claims.");
        public override Task ValidateClaimsAsync(IList <Claim> claims)
            // if _allowedCallers has one item of '*', allow all parent bot calls and do not validate the appid from claims
            if (SkillValidation.IsSkillClaim(claims) && !(_allowedCallers.Count == 1 && _allowedCallers[0] == "*"))
                // Check that the appId claim in the skill request is in the list of skills configured for this bot.
                var appId = JwtTokenValidation.GetAppIdFromClaims(claims).ToUpperInvariant();
                if (!_allowedCallers.Contains(appId))
                    throw new UnauthorizedAccessException($"Received a request from a bot with an app ID of \"{appId}\". To enable requests from this caller, add the app ID to your configuration file.");

Ejemplo n.º 5
        /// <summary>
        /// Determines if a given Auth header is from from a skill to bot or bot to skill request.
        /// </summary>
        /// <param name="authHeader">Bearer Token, in the "Bearer [Long String]" Format.</param>
        /// <returns>True, if the token was issued for a skill to bot communication. Otherwise, false.</returns>
        public static bool IsSkillToken(string authHeader)
            if (!JwtTokenValidation.IsValidTokenFormat(authHeader))

            // We know is a valid token, split it and work with it:
            // [0] = "Bearer"
            // [1] = "[Big Long String]"
            var bearerToken = authHeader.Split(' ')[1];

            // Parse the Big Long String into an actual token.
            var token = new JwtSecurityToken(bearerToken);

Ejemplo n.º 6
        internal static async Task ValidateIdentityAsync(ClaimsIdentity identity, ICredentialProvider credentials)
            if (identity == null)
                // No valid identity. Not Authorized.
                throw new UnauthorizedAccessException("Invalid Identity");

            if (!identity.IsAuthenticated)
                // The token is in some way invalid. Not Authorized.
                throw new UnauthorizedAccessException("Token Not Authenticated");

            var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim);

            if (versionClaim == null)
                // No version claim
                throw new UnauthorizedAccessException($"'{AuthenticationConstants.VersionClaim}' claim is required on skill Tokens.");

            // Look for the "aud" claim, but only if issued from the Bot Framework
            var audienceClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.AudienceClaim)?.Value;

            if (string.IsNullOrWhiteSpace(audienceClaim))
                // Claim is not present or doesn't have a value. Not Authorized.
                throw new UnauthorizedAccessException($"'{AuthenticationConstants.AudienceClaim}' claim is required on skill Tokens.");

            if (!await credentials.IsValidAppIdAsync(audienceClaim).ConfigureAwait(false))
                // The AppId is not valid. Not Authorized.
                throw new UnauthorizedAccessException("Invalid audience.");

            var appId = JwtTokenValidation.GetAppIdFromClaims(identity.Claims);

            if (string.IsNullOrWhiteSpace(appId))
                // Invalid appId
                throw new UnauthorizedAccessException("Invalid appId.");
Ejemplo n.º 7
        /// <summary>
        /// Checks if the given list of claims represents a skill.
        /// </summary>
        /// <remarks>
        /// A skill claim should contain:
        ///     An <see cref="AuthenticationConstants.VersionClaim"/> claim.
        ///     An <see cref="AuthenticationConstants.AudienceClaim"/> claim.
        ///     An <see cref="AuthenticationConstants.AppIdClaim"/> claim (v1) or an a <see cref="AuthenticationConstants.AuthorizedParty"/> claim (v2).
        /// And the appId claim should be different than the audience claim.
        /// When a channel (webchat, teams, etc.) invokes a bot, the <see cref="AuthenticationConstants.AudienceClaim"/>
        /// is set to <see cref="AuthenticationConstants.ToBotFromChannelTokenIssuer"/> but when a bot calls another bot,
        /// the audience claim is set to the appId of the bot being invoked.
        /// The protocol supports v1 and v2 tokens:
        /// For v1 tokens, the  <see cref="AuthenticationConstants.AppIdClaim"/> is present and set to the app Id of the calling bot.
        /// For v2 tokens, the  <see cref="AuthenticationConstants.AuthorizedParty"/> is present and set to the app Id of the calling bot.
        /// </remarks>
        /// <param name="claims">A list of claims.</param>
        /// <returns>True if the list of claims is a skill claim, false if is not.</returns>
        public static bool IsSkillClaim(IEnumerable <Claim> claims)
            if (claims == null)
                throw new ArgumentNullException(nameof(claims));

            if (!claims.Any())
                throw new UnauthorizedAccessException("SkillValidation.IsSkillClaim.claims parameter must contain at least one element.");

            var claimsList = claims.ToList();

            var version = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.VersionClaim);

            if (string.IsNullOrWhiteSpace(version?.Value))
                // Must have a version claim.

            var audience = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.AudienceClaim)?.Value;

            if (string.IsNullOrWhiteSpace(audience) || AuthenticationConstants.ToBotFromChannelTokenIssuer.Equals(audience, StringComparison.OrdinalIgnoreCase))
                // The audience is https://api.botframework.com and not an appId.

            var appId = JwtTokenValidation.GetAppIdFromClaims(claimsList);

            if (string.IsNullOrWhiteSpace(appId))

            // Skill claims must contain and app ID and the AppID must be different than the audience.
            return(appId != audience);
Ejemplo n.º 8
        public override async Task OnActionExecutingAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
            var authorizationHeader = actionContext.Request.Headers.Authorization;

            if (authorizationHeader != null && SkillValidation.IsSkillToken(authorizationHeader.ToString()))
                var activities = base.GetActivities(actionContext);
                if (activities.Any())
                    var authConfiguration  = this.GetAuthenticationConfiguration();
                    var credentialProvider = this.GetCredentialProvider();

                        foreach (var activity in activities)
                            var claimsIdentity = await JwtTokenValidation.AuthenticateRequest(activity, authorizationHeader.ToString(), credentialProvider, authConfiguration, _httpClient).ConfigureAwait(false);

                            // this is done in JwtTokenValidation.AuthenticateRequest, but the oauthScope is not set so we update it here
                            MicrosoftAppCredentials.TrustServiceUrl(activity.ServiceUrl, oauthScope: JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims));
                    catch (UnauthorizedAccessException)
                        actionContext.Response = BotAuthenticator.GenerateUnauthorizedResponse(actionContext.Request, "BotAuthenticator failed to authenticate incoming request!");

                    await base.ContinueOnActionExecutingAsync(actionContext, cancellationToken);


            await base.OnActionExecutingAsync(actionContext, cancellationToken);