/// <summary>
/// Determines if a given Auth header is from the Bot Framework Emulator.
/// </summary>
/// <param name="authHeader">Bearer Token, in the "Bearer [Long String]" Format.</param>
/// <returns>True, if the token was issued by the Emulator. Otherwise, false.</returns>
public static bool IsTokenFromEmulator(string authHeader)
{
if (!JwtTokenValidation.IsValidTokenFormat(authHeader))
{
return(false);
}
// We know is a valid token, split it and work with it:
// [0] = "Bearer"
// [1] = "[Big Long String]"
var bearerToken = authHeader.Split(' ')[1];
// Parse the Big Long String into an actual token.
var token = new JwtSecurityToken(bearerToken);
// Is there an Issuer?
if (string.IsNullOrWhiteSpace(token.Issuer))
{
// No Issuer, means it's not from the Emulator.
return(false);
}
// Is the token issues by a source we consider to be the emulator?
if (!ToBotFromEmulatorTokenValidationParameters.ValidIssuers.Contains(token.Issuer))
{
// Not a Valid Issuer. This is NOT a Bot Framework Emulator Token.
return(false);
}
// The Token is from the Bot Framework Emulator. Success!
return(true);
}
/// <summary>
/// Checks if the given list of claims represents a skill.
/// </summary>
/// <remarks>
/// A skill claim should contain:
/// An <see cref="AuthenticationConstants.VersionClaim"/> claim.
/// An <see cref="AuthenticationConstants.AudienceClaim"/> claim.
/// An <see cref="AuthenticationConstants.AppIdClaim"/> claim (v1) or an a <see cref="AuthenticationConstants.AuthorizedParty"/> claim (v2).
/// And the appId claim should be different than the audience claim.
/// When a channel (webchat, teams, etc.) invokes a bot, the <see cref="AuthenticationConstants.AudienceClaim"/>
/// is set to <see cref="AuthenticationConstants.ToBotFromChannelTokenIssuer"/> but when a bot calls another bot,
/// the audience claim is set to the appId of the bot being invoked.
/// The protocol supports v1 and v2 tokens:
/// For v1 tokens, the <see cref="AuthenticationConstants.AppIdClaim"/> is present and set to the app Id of the calling bot.
/// For v2 tokens, the <see cref="AuthenticationConstants.AuthorizedParty"/> is present and set to the app Id of the calling bot.
/// </remarks>
/// <param name="claims">A list of claims.</param>
/// <returns>True if the list of claims is a skill claim, false if is not.</returns>
public static bool IsSkillClaim(IEnumerable <Claim> claims)
{
var claimsList = claims.ToList();
if (claimsList.Any(c => c.Value == AuthenticationConstants.AnonymousSkillAppId && c.Type == AuthenticationConstants.AppIdClaim))
{
return(true);
}
var version = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.VersionClaim);
if (string.IsNullOrWhiteSpace(version?.Value))
{
// Must have a version claim.
return(false);
}
var audience = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.AudienceClaim)?.Value;
if (string.IsNullOrWhiteSpace(audience) || AuthenticationConstants.ToBotFromChannelTokenIssuer.Equals(audience, StringComparison.OrdinalIgnoreCase))
{
// The audience is https://api.botframework.com and not an appId.
return(false);
}
var appId = JwtTokenValidation.GetAppIdFromClaims(claimsList);
if (string.IsNullOrWhiteSpace(appId))
{
return(false);
}
// Skill claims must contain and app ID and the AppID must be different than the audience.
return(appId != audience);
}
/// <inheritdoc/>
public override Task ValidateClaimsAsync(IList <Claim> claims)
{
if (SkillValidation.IsSkillClaim(claims))
{
// Check that the appId claim in the skill request is in the list of skills configured for this bot.
var appId = JwtTokenValidation.GetAppIdFromClaims(claims);
if (!_allowedSkills.Contains(appId))
{
throw new UnauthorizedAccessException($"Received a request from an application with an appID of \"{appId}\". To enable requests from this skill, add the skill to your configuration file.");
}
}
return(Task.CompletedTask);
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation.AuthenticateRequest(activity, authHeader, new DelegatingCredentialProvider(_credentialFactory), GetChannelProvider(), _authConfiguration, _authHttpClient).ConfigureAwait(false);
var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false);
var connectorFactory = new ConnectorFactoryImpl(GetAppId(claimsIdentity), _toChannelFromBotOAuthScope, _loginEndpoint, true, _credentialFactory, _httpClientFactory, _logger);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId, ConnectorFactory = connectorFactory
});
}
internal static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialProvider credentials)
{
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException("Invalid Identity");
}
if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException("Token Not Authenticated");
}
var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim);
if (versionClaim == null)
{
// No version claim
throw new UnauthorizedAccessException($"'{AuthenticationConstants.VersionClaim}' claim is required on skill Tokens.");
}
// Look for the "aud" claim, but only if issued from the Bot Framework
var audienceClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.AudienceClaim)?.Value;
if (string.IsNullOrWhiteSpace(audienceClaim))
{
// Claim is not present or doesn't have a value. Not Authorized.
throw new UnauthorizedAccessException($"'{AuthenticationConstants.AudienceClaim}' claim is required on skill Tokens.");
}
if (!await credentials.IsValidAppIdAsync(audienceClaim).ConfigureAwait(false))
{
// The AppId is not valid. Not Authorized.
throw new UnauthorizedAccessException($"Invalid audience.");
}
var appId = JwtTokenValidation.GetAppIdFromClaims(identity.Claims);
if (string.IsNullOrWhiteSpace(appId))
{
// Invalid appId
throw new UnauthorizedAccessException($"Invalid appId.");
}
// TODO: check the appId against the registered skill client IDs.
// Check the AppId and ensure that only works against my whitelist authConfig can have info on how to get the
// whitelist AuthenticationConfiguration
// We may need to add a ClaimsIdentityValidator delegate or class that allows the dev to inject a custom validator.
}
/// <summary>
/// Generates the appropriate callerId to write onto the activity, this might be null.
/// </summary>
/// <param name="credentialFactory">A <see cref="ServiceClientCredentialsFactory"/> to use.</param>
/// <param name="claimsIdentity">The inbound claims.</param>
/// <param name="callerId">The default callerId to use if this is not a skill.</param>
/// <param name="cancellationToken">A cancellation token.</param>
/// <returns>The callerId, this might be null.</returns>
protected internal async Task <string> GenerateCallerIdAsync(ServiceClientCredentialsFactory credentialFactory, ClaimsIdentity claimsIdentity, string callerId, CancellationToken cancellationToken)
{
// Is the bot accepting all incoming messages?
if (await credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
// Return null so that the callerId is cleared.
return(null);
}
// Is the activity from another bot?
return(SkillValidation.IsSkillClaim(claimsIdentity.Claims)
? $"{CallerIdConstants.BotToBotPrefix}{JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims)}"
: callerId);
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation_AuthenticateRequestAsync(activity, authHeader, _credentialFactory, _authConfiguration, _httpClient, cancellationToken).ConfigureAwait(false);
var scope = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, cancellationToken).ConfigureAwait(false);
var connectorFactory = new ConnectorFactoryImpl(BuiltinBotFrameworkAuthentication.GetAppId(claimsIdentity), _toChannelFromBotOAuthScope, _toChannelFromBotLoginUrl, _validateAuthority, _credentialFactory, _httpClient, _logger);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Scope = scope, CallerId = callerId, ConnectorFactory = connectorFactory
});
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation.AuthenticateRequest(activity, authHeader, new DelegatingCredentialProvider(_credentialFactory), GetChannelProvider(), _authConfiguration, _httpClient).ConfigureAwait(false);
var scope = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, cancellationToken).ConfigureAwait(false);
var appId = GetAppId(claimsIdentity);
var credentials = await _credentialFactory.CreateCredentialsAsync(appId, scope, _loginEndpoint, true, cancellationToken).ConfigureAwait(false);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Credentials = credentials, Scope = scope, CallerId = callerId
});
}
/// <summary>
/// Determines if a given Auth header is from from a skill to bot or bot to skill request.
/// </summary>
/// <param name="authHeader">Bearer Token, in the "Bearer [Long String]" Format.</param>
/// <returns>True, if the token was issued for a skill to bot communication. Otherwise, false.</returns>
public static bool IsSkillToken(string authHeader)
{
if (!JwtTokenValidation.IsValidTokenFormat(authHeader))
{
return(false);
}
// We know is a valid token, split it and work with it:
// [0] = "Bearer"
// [1] = "[Big Long String]"
var bearerToken = authHeader.Split(' ')[1];
// Parse the Big Long String into an actual token.
var token = new JwtSecurityToken(bearerToken);
return(IsSkillClaim(token.Claims));
}
public override async Task <AuthenticateRequestResult> AuthenticateStreamingRequestAsync(string authHeader, string channelIdHeader, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(channelIdHeader) && !await _credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
throw new UnauthorizedAccessException();
}
var claimsIdentity = await JwtTokenValidation.ValidateAuthHeader(authHeader, new DelegatingCredentialProvider(_credentialFactory), GetChannelProvider(), channelIdHeader, httpClient : _authHttpClient).ConfigureAwait(false);
var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId
});
}
/// <summary>
/// Validates the security tokens required by the Bot Framework Protocol. Throws on any exceptions.
/// </summary>
/// <param name="activity">The incoming Activity from the Bot Framework or the Emulator</param>
/// <param name="authHeader">The Bearer token included as part of the request</param>
/// <param name="credentials">The set of valid credentials, such as the Bot Application ID</param>
/// <param name="httpClient">Validating an Activity requires validating the claimset on the security token. This
/// validation may require outbound calls for Endorsement validation and other checks. Those calls are made to
/// TLS services, which are (latency wise) expensive resources. The httpClient passed in here, if shared by the layers
/// above from call to call, enables connection reuse which is a significant performance and resource improvement.</param>
/// <returns>Task tracking operation</returns>
public static async Task AssertValidActivity(IActivity activity, string authHeader, ICredentialProvider credentials, HttpClient httpClient = null)
{
if (string.IsNullOrWhiteSpace(authHeader))
{
// No auth header was sent. We might be on the anonymous code path.
bool isAuthDisabled = await credentials.IsAuthenticationDisabledAsync();
if (isAuthDisabled)
{
// We are on the anonymous code path.
return;
}
}
// Go through the standard authentication path.
await JwtTokenValidation.AuthenticateRequest(activity, authHeader, credentials, httpClient ?? _httpClient);
}
internal static async Task ValidateIdentityAsync(ClaimsIdentity identity, ICredentialProvider credentials)
{
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException("Invalid Identity");
}
if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException("Token Not Authenticated");
}
var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim);
if (versionClaim == null)
{
// No version claim
throw new UnauthorizedAccessException($"'{AuthenticationConstants.VersionClaim}' claim is required on skill Tokens.");
}
// Look for the "aud" claim, but only if issued from the Bot Framework
var audienceClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.AudienceClaim)?.Value;
if (string.IsNullOrWhiteSpace(audienceClaim))
{
// Claim is not present or doesn't have a value. Not Authorized.
throw new UnauthorizedAccessException($"'{AuthenticationConstants.AudienceClaim}' claim is required on skill Tokens.");
}
if (!await credentials.IsValidAppIdAsync(audienceClaim).ConfigureAwait(false))
{
// The AppId is not valid. Not Authorized.
throw new UnauthorizedAccessException("Invalid audience.");
}
var appId = JwtTokenValidation.GetAppIdFromClaims(identity.Claims);
if (string.IsNullOrWhiteSpace(appId))
{
// Invalid appId
throw new UnauthorizedAccessException("Invalid appId.");
}
}
/// <summary>
/// Validates the security tokens required by the Bot Framework Protocol. Throws on any exceptions.
/// </summary>
/// <param name="activity">The incoming Activity from the Bot Framework or the Emulator</param>
/// <param name="authHeader">The Bearer token included as part of the request</param>
/// <param name="credentials">The set of valid credentials, such as the Bot Application ID</param>
/// <param name="httpClient">Validating an Activity requires validating the claimset on the security token. This
/// validation may require outbound calls for Endorsement validation and other checks. Those calls are made to
/// TLS services, which are (latency wise) expensive resources. The httpClient passed in here, if shared by the layers
/// above from call to call, enables connection reuse which is a significant performance and resource improvement.</param>
/// <returns>Nothing</returns>
public static async Task AssertValidActivity(Activity activity, string authHeader, ICredentialProvider credentials, HttpClient httpClient)
{
if (string.IsNullOrWhiteSpace(authHeader))
{
// No auth header was sent. We might be on the anonymous code path.
bool isAuthDisabled = await credentials.IsAuthenticationDisabledAsync();
if (isAuthDisabled)
{
// We are on the anonymous code path.
return;
}
}
// Go through the standard authentication path.
await JwtTokenValidation.ValidateAuthHeader(authHeader, credentials, activity.ServiceUrl, httpClient);
// On the standard Auth path, we need to trust the URL that was incoming.
MicrosoftAppCredentials.TrustServiceUrl(activity.ServiceUrl);
}
public override async Task <ClaimsIdentity> AuthenticateChannelRequestAsync(string authHeader, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(authHeader))
{
var isAuthDisabled = await new DelegatingCredentialProvider(_credentialsFactory).IsAuthenticationDisabledAsync().ConfigureAwait(false);
if (!isAuthDisabled)
{
// No auth header. Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
}
// In the scenario where auth is disabled, we still want to have the
// IsAuthenticated flag set in the ClaimsIdentity.
// To do this requires adding in an empty claim.
// Since ChannelServiceHandler calls are always a skill callback call, we set the skill claim too.
return(SkillValidation.CreateAnonymousSkillClaim());
}
return(await JwtTokenValidation
.ValidateAuthHeader(authHeader, new DelegatingCredentialProvider(_credentialsFactory), GetChannelProvider(), "unknown", _authConfiguration)
.ConfigureAwait(false));
}
/// <summary>
/// Validate a list of claims and throw an exception if it fails.
/// </summary>
/// <param name="claims">The list of claims to validate.</param>
/// <returns>True if the validation is successful, false if not.</returns>
public override Task ValidateClaimsAsync(IList <Claim> claims)
{
if (claims == null)
{
throw new ArgumentNullException(nameof(claims));
}
// If _allowedCallers contains an "*", allow all callers.
if (SkillValidation.IsSkillClaim(claims) &&
!_allowedCallers.Contains("*"))
{
// Check that the appId claim in the skill request is in the list of callers configured for this bot.
var applicationId = JwtTokenValidation.GetAppIdFromClaims(claims);
if (!_allowedCallers.Contains(applicationId))
{
throw new UnauthorizedAccessException(
$"Received a request from a bot with an app ID of \"{applicationId}\". To enable requests from this caller, add the app ID to the configured set of allowedCallers.");
}
}
return(Task.CompletedTask);
}
