Example #1
0
        public override Task ValidateClaimsAsync(IList <Claim> claims)
        {
            if (claims == null)
            {
                throw new ArgumentNullException(nameof(claims));
            }

            if (!claims.Any())
            {
                throw new UnauthorizedAccessException("ValidateClaimsAsync.claims parameter must contain at least one element.");
            }

            if (SkillValidation.IsSkillClaim(claims))
            {
                // if _allowedCallers has one item of '*', allow all parent bot calls and do not validate the appid from claims
                if (_allowedCallers.Count == 1 && _allowedCallers[0] == "*")
                {
                    return(Task.CompletedTask);
                }

                // Check that the appId claim in the skill request is in the list of skills configured for this bot.
                var appId = JwtTokenValidation.GetAppIdFromClaims(claims).ToUpperInvariant();
                if (_allowedCallers.Contains(appId))
                {
                    return(Task.CompletedTask);
                }

                throw new UnauthorizedAccessException($"Received a request from a bot with an app ID of \"{appId}\". To enable requests from this caller, add the app ID to your configuration file.");
            }

            throw new UnauthorizedAccessException($"ValidateClaimsAsync called without a Skill claim in claims.");
        }
Example #2
0
        public override Task ValidateClaimsAsync(IList <Claim> claims)
        {
            // if _allowedCallers has one item of '*', allow all parent bot calls and do not validate the appid from claims
            if (SkillValidation.IsSkillClaim(claims) && !(_allowedCallers.Count == 1 && _allowedCallers[0] == "*"))
            {
                // Check that the appId claim in the skill request is in the list of skills configured for this bot.
                var appId = JwtTokenValidation.GetAppIdFromClaims(claims).ToUpperInvariant();
                if (!_allowedCallers.Contains(appId))
                {
                    throw new UnauthorizedAccessException($"Received a request from a bot with an app ID of \"{appId}\". To enable requests from this caller, add the app ID to your configuration file.");
                }
            }

            return(Task.CompletedTask);
        }
Example #3
0
        /// <summary>
        /// Authenticates the auth header token from the request.
        /// </summary>
        private static async Task <ClaimsIdentity> AuthenticateToken(string authHeader, ICredentialProvider credentials, string channelId, AuthenticationConfiguration authConfig, string serviceUrl, HttpClient httpClient)
        {
            if (SkillValidation.IsSkillToken(authHeader))
            {
                return(await SkillValidation.AuthenticateChannelToken(authHeader, credentials, httpClient, channelId, authConfig).ConfigureAwait(false));
            }

            if (EmulatorValidation.IsTokenFromEmulator(authHeader))
            {
                return(await EmulatorValidation.AuthenticateEmulatorToken(authHeader, credentials, httpClient, channelId, authConfig).ConfigureAwait(false));
            }

            // No empty or null check. Empty can point to issues. Null checks only.
            if (serviceUrl != null)
            {
                return(await ChannelValidation.AuthenticateChannelToken(authHeader, credentials, serviceUrl, httpClient, channelId, authConfig).ConfigureAwait(false));
            }

            return(await ChannelValidation.AuthenticateChannelToken(authHeader, credentials, httpClient, channelId, authConfig).ConfigureAwait(false));
        }
Example #4
0
        public override async Task OnActionExecutingAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
        {
            var authorizationHeader = actionContext.Request.Headers.Authorization;

            if (authorizationHeader != null && SkillValidation.IsSkillToken(authorizationHeader.ToString()))
            {
                var activities = base.GetActivities(actionContext);
                if (activities.Any())
                {
                    var authConfiguration  = this.GetAuthenticationConfiguration();
                    var credentialProvider = this.GetCredentialProvider();

                    try
                    {
                        foreach (var activity in activities)
                        {
                            var claimsIdentity = await JwtTokenValidation.AuthenticateRequest(activity, authorizationHeader.ToString(), credentialProvider, authConfiguration, _httpClient).ConfigureAwait(false);

                            // this is done in JwtTokenValidation.AuthenticateRequest, but the oauthScope is not set so we update it here
                            MicrosoftAppCredentials.TrustServiceUrl(activity.ServiceUrl, oauthScope: JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims));
                        }
                    }
                    catch (UnauthorizedAccessException)
                    {
                        actionContext.Response = BotAuthenticator.GenerateUnauthorizedResponse(actionContext.Request, "BotAuthenticator failed to authenticate incoming request!");
                        return;
                    }

                    await base.ContinueOnActionExecutingAsync(actionContext, cancellationToken);

                    return;
                }
            }

            await base.OnActionExecutingAsync(actionContext, cancellationToken);
        }