public override async Task <AuthenticateRequestResult> AuthenticateStreamingRequestAsync(string authHeader, string channelIdHeader, CancellationToken cancellationToken) { if (string.IsNullOrWhiteSpace(channelIdHeader) && !await _credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false)) { throw new UnauthorizedAccessException(); } var claimsIdentity = await JwtTokenValidation.ValidateAuthHeader(authHeader, new DelegatingCredentialProvider(_credentialFactory), GetChannelProvider(), channelIdHeader, httpClient : _authHttpClient).ConfigureAwait(false); var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope; var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false); return(new AuthenticateRequestResult { ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId }); }
/// <summary> /// Validates the security tokens required by the Bot Framework Protocol. Throws on any exceptions. /// </summary> /// <param name="activity">The incoming Activity from the Bot Framework or the Emulator</param> /// <param name="authHeader">The Bearer token included as part of the request</param> /// <param name="credentials">The set of valid credentials, such as the Bot Application ID</param> /// <param name="httpClient">Validating an Activity requires validating the claimset on the security token. This /// validation may require outbound calls for Endorsement validation and other checks. Those calls are made to /// TLS services, which are (latency wise) expensive resources. The httpClient passed in here, if shared by the layers /// above from call to call, enables connection reuse which is a significant performance and resource improvement.</param> /// <returns>Nothing</returns> public static async Task AssertValidActivity(Activity activity, string authHeader, ICredentialProvider credentials, HttpClient httpClient) { if (string.IsNullOrWhiteSpace(authHeader)) { // No auth header was sent. We might be on the anonymous code path. bool isAuthDisabled = await credentials.IsAuthenticationDisabledAsync(); if (isAuthDisabled) { // We are on the anonymous code path. return; } } // Go through the standard authentication path. await JwtTokenValidation.ValidateAuthHeader(authHeader, credentials, activity.ServiceUrl, httpClient); // On the standard Auth path, we need to trust the URL that was incoming. MicrosoftAppCredentials.TrustServiceUrl(activity.ServiceUrl); }
public override async Task <ClaimsIdentity> AuthenticateChannelRequestAsync(string authHeader, CancellationToken cancellationToken) { if (string.IsNullOrWhiteSpace(authHeader)) { var isAuthDisabled = await new DelegatingCredentialProvider(_credentialsFactory).IsAuthenticationDisabledAsync().ConfigureAwait(false); if (!isAuthDisabled) { // No auth header. Auth is required. Request is not authorized. throw new UnauthorizedAccessException(); } // In the scenario where auth is disabled, we still want to have the // IsAuthenticated flag set in the ClaimsIdentity. // To do this requires adding in an empty claim. // Since ChannelServiceHandler calls are always a skill callback call, we set the skill claim too. return(SkillValidation.CreateAnonymousSkillClaim()); } return(await JwtTokenValidation .ValidateAuthHeader(authHeader, new DelegatingCredentialProvider(_credentialsFactory), GetChannelProvider(), "unknown", _authConfiguration) .ConfigureAwait(false)); }