private bool ShouldSetToken(HttpRequestMessage request)
{
// There is no current http context, proactive message
// assuming that developer is not calling drop context
if (HttpContext.Current == null || TrustedUri(request.RequestUri))
{
return(true);
}
else if (HttpContext.Current.User != null)
{
// This check is redundant now because RequestUri should already be in the
// trusted uri list added by BotAuthentication attribute
ClaimsIdentity identity = (ClaimsIdentity)HttpContext.Current.User.Identity;
if (identity?.Claims.FirstOrDefault(c => c.Type == "appid" && JwtConfig.GetToBotFromChannelTokenValidationParameters(MicrosoftAppId).ValidIssuers.Contains(c.Issuer)) != null)
{
return(true);
}
// Fallback for BF-issued tokens
if (identity?.Claims.FirstOrDefault(c => c.Issuer == "https://api.botframework.com" && c.Type == "aud") != null)
{
return(true);
}
// For emulator, we fallback to MSA as valid issuer
if (identity?.Claims.FirstOrDefault(c => c.Type == "appid" && JwtConfig.ToBotFromMSATokenValidationParameters.ValidIssuers.Contains(c.Issuer)) != null)
{
return(true);
}
}
Trace.TraceWarning($"Service url {request.RequestUri.Authority} is not trusted and JwtToken cannot be sent to it.");
return(false);
}
private bool ShouldSetToken()
{
// There is no current http context, proactive message
// assuming that developer is not calling drop context
if (HttpContext.Current == null)
{
return(true);
}
else if (HttpContext.Current.User != null)
{
ClaimsIdentity identity = (ClaimsIdentity)HttpContext.Current.User.Identity;
if (identity?.Claims.FirstOrDefault(c => c.Type == "appid" && JwtConfig.GetToBotFromChannelTokenValidationParameters(MicrosoftAppId).ValidIssuers.Contains(c.Issuer)) != null)
{
return(true);
}
// Fallback for BF-issued tokens
if (identity?.Claims.FirstOrDefault(c => c.Issuer == "https://api.botframework.com" && c.Type == "aud") != null)
{
return(true);
}
// For emulator, we fallback to MSA as valid issuer
if (identity?.Claims.FirstOrDefault(c => c.Type == "appid" && JwtConfig.ToBotFromMSATokenValidationParameters.ValidIssuers.Contains(c.Issuer)) != null)
{
return(true);
}
}
return(false);
}
public override async Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
{
MicrosoftAppId = MicrosoftAppId ?? ConfigurationManager.AppSettings[MicrosoftAppIdSettingName ?? "MicrosoftAppId"];
if (Debugger.IsAttached && String.IsNullOrEmpty(MicrosoftAppId))
{
// then auth is disabled
return;
}
var tokenExtractor = new JwtTokenExtractor(JwtConfig.GetToBotFromChannelTokenValidationParameters(MicrosoftAppId), OpenIdConfigurationUrl);
var identity = await tokenExtractor.GetIdentityAsync(actionContext.Request);
// No identity? If we're allowed to, fall back to MSA
// This code path is used by the emulator
if (identity == null && !DisableSelfIssuedTokens)
{
tokenExtractor = new JwtTokenExtractor(JwtConfig.ToBotFromMSATokenValidationParameters, JwtConfig.ToBotFromMSAOpenIdMetadataUrl);
identity = await tokenExtractor.GetIdentityAsync(actionContext.Request);
// Check to make sure the app ID in the token is ours
if (identity != null)
{
// If it doesn't match, throw away the identity
if (tokenExtractor.GetBotIdFromClaimsIdentity(identity) != MicrosoftAppId)
{
identity = null;
}
}
}
// Still no identity? Fail out.
if (identity == null)
{
tokenExtractor.GenerateUnauthorizedResponse(actionContext);
return;
}
Thread.CurrentPrincipal = new ClaimsPrincipal(identity);
// Inside of ASP.NET this is required
if (HttpContext.Current != null)
{
HttpContext.Current.User = Thread.CurrentPrincipal;
}
await base.OnAuthorizationAsync(actionContext, cancellationToken);
}
private JwtTokenExtractor GetTokenExtractor()
{
var parameters = JwtConfig.GetToBotFromChannelTokenValidationParameters((audiences, securityToken, validationParameters) => true);
return(new JwtTokenExtractor(parameters, this.openIdConfigurationUrl));
}
public override async Task OnActionExecutionAsync(ActionExecutingContext actionContext, ActionExecutionDelegate next)
{
MicrosoftAppId = MicrosoftAppId ?? _configuration[MicrosoftAppIdSettingName];
if (Debugger.IsAttached && String.IsNullOrEmpty(MicrosoftAppId))
{
// then auth is disabled
return;
}
var tokenExtractor = new JwtTokenExtractor(JwtConfig.GetToBotFromChannelTokenValidationParameters(MicrosoftAppId), OpenIdConfigurationUrl);
var frameRequestHeaders = actionContext.HttpContext.Request.Headers as FrameRequestHeaders;
if (frameRequestHeaders == null)
{
//TODO: ...
throw new NotSupportedException("frameRequestHeaders is null");
}
//TODO: Надо проверить!
var identity = await tokenExtractor.GetIdentityAsync(frameRequestHeaders.HeaderAuthorization.FirstOrDefault());
// No identity? If we're allowed to, fall back to MSA
// This code path is used by the emulator
if (identity == null && !DisableSelfIssuedTokens)
{
tokenExtractor = new JwtTokenExtractor(JwtConfig.ToBotFromMSATokenValidationParameters, JwtConfig.ToBotFromMSAOpenIdMetadataUrl);
//TODO: Надо проверить!
identity = await tokenExtractor.GetIdentityAsync(frameRequestHeaders.HeaderAuthorization.FirstOrDefault());
// Check to make sure the app ID in the token is ours
if (identity != null)
{
// If it doesn't match, throw away the identity
if (tokenExtractor.GetBotIdFromClaimsIdentity(identity) != MicrosoftAppId)
{
identity = null;
}
}
}
// Still no identity? Fail out.
if (identity == null)
{
tokenExtractor.GenerateUnauthorizedResponse(actionContext);
return;
}
var activity = actionContext.ActionArguments.Select(t => t.Value).OfType <Activity>().FirstOrDefault();
if (activity != null)
{
MicrosoftAppCredentials.TrustServiceUrl(activity.ServiceUrl);
}
else
{
// No model binding to activity check if we can find JObject or JArray
var obj = actionContext.ActionArguments.Where(t => t.Value is JObject || t.Value is JArray).Select(t => t.Value).FirstOrDefault();
if (obj != null)
{
Activity[] activities = (obj is JObject) ? new Activity[] { ((JObject)obj).ToObject <Activity>() } : ((JArray)obj).ToObject <Activity[]>();
foreach (var jActivity in activities)
{
if (!string.IsNullOrEmpty(jActivity.ServiceUrl))
{
MicrosoftAppCredentials.TrustServiceUrl(jActivity.ServiceUrl);
}
}
}
else
{
//LOG: Trace.TraceWarning("No activity in the Bot Authentication Action Arguments");
}
}
//Thread.CurrentPrincipal = new ClaimsPrincipal(identity);
// Inside of ASP.NET this is required
if (_httpContextAccessor.HttpContext != null)
{
_httpContextAccessor.HttpContext.User = new ClaimsPrincipal(identity);
}
await base.OnActionExecutionAsync(actionContext, next);
}