/// <summary>
/// Checks if the given list of claims represents a skill.
/// </summary>
/// <remarks>
/// A skill claim should contain:
/// An <see cref="AuthenticationConstants.VersionClaim"/> claim.
/// An <see cref="AuthenticationConstants.AudienceClaim"/> claim.
/// An <see cref="AuthenticationConstants.AppIdClaim"/> claim (v1) or an a <see cref="AuthenticationConstants.AuthorizedParty"/> claim (v2).
/// And the appId claim should be different than the audience claim.
/// When a channel (webchat, teams, etc.) invokes a bot, the <see cref="AuthenticationConstants.AudienceClaim"/>
/// is set to <see cref="AuthenticationConstants.ToBotFromChannelTokenIssuer"/> but when a bot calls another bot,
/// the audience claim is set to the appId of the bot being invoked.
/// The protocol supports v1 and v2 tokens:
/// For v1 tokens, the <see cref="AuthenticationConstants.AppIdClaim"/> is present and set to the app Id of the calling bot.
/// For v2 tokens, the <see cref="AuthenticationConstants.AuthorizedParty"/> is present and set to the app Id of the calling bot.
/// </remarks>
/// <param name="claims">A list of claims.</param>
/// <returns>True if the list of claims is a skill claim, false if is not.</returns>
public static bool IsSkillClaim(IEnumerable <Claim> claims)
{
var claimsList = claims.ToList();
if (claimsList.Any(c => c.Value == AuthenticationConstants.AnonymousSkillAppId && c.Type == AuthenticationConstants.AppIdClaim))
{
return(true);
}
var version = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.VersionClaim);
if (string.IsNullOrWhiteSpace(version?.Value))
{
// Must have a version claim.
return(false);
}
var audience = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.AudienceClaim)?.Value;
if (string.IsNullOrWhiteSpace(audience) || AuthenticationConstants.ToBotFromChannelTokenIssuer.Equals(audience, StringComparison.OrdinalIgnoreCase))
{
// The audience is https://api.botframework.com and not an appId.
return(false);
}
var appId = JwtTokenValidation.GetAppIdFromClaims(claimsList);
if (string.IsNullOrWhiteSpace(appId))
{
return(false);
}
// Skill claims must contain and app ID and the AppID must be different than the audience.
return(appId != audience);
}
/// <inheritdoc/>
public override Task ValidateClaimsAsync(IList <Claim> claims)
{
if (SkillValidation.IsSkillClaim(claims))
{
// Check that the appId claim in the skill request is in the list of skills configured for this bot.
var appId = JwtTokenValidation.GetAppIdFromClaims(claims);
if (!_allowedSkills.Contains(appId))
{
throw new UnauthorizedAccessException($"Received a request from an application with an appID of \"{appId}\". To enable requests from this skill, add the skill to your configuration file.");
}
}
return(Task.CompletedTask);
}
internal static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialProvider credentials)
{
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException("Invalid Identity");
}
if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException("Token Not Authenticated");
}
var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim);
if (versionClaim == null)
{
// No version claim
throw new UnauthorizedAccessException($"'{AuthenticationConstants.VersionClaim}' claim is required on skill Tokens.");
}
// Look for the "aud" claim, but only if issued from the Bot Framework
var audienceClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.AudienceClaim)?.Value;
if (string.IsNullOrWhiteSpace(audienceClaim))
{
// Claim is not present or doesn't have a value. Not Authorized.
throw new UnauthorizedAccessException($"'{AuthenticationConstants.AudienceClaim}' claim is required on skill Tokens.");
}
if (!await credentials.IsValidAppIdAsync(audienceClaim).ConfigureAwait(false))
{
// The AppId is not valid. Not Authorized.
throw new UnauthorizedAccessException($"Invalid audience.");
}
var appId = JwtTokenValidation.GetAppIdFromClaims(identity.Claims);
if (string.IsNullOrWhiteSpace(appId))
{
// Invalid appId
throw new UnauthorizedAccessException($"Invalid appId.");
}
// TODO: check the appId against the registered skill client IDs.
// Check the AppId and ensure that only works against my whitelist authConfig can have info on how to get the
// whitelist AuthenticationConfiguration
// We may need to add a ClaimsIdentityValidator delegate or class that allows the dev to inject a custom validator.
}
/// <summary>
/// Generates the appropriate callerId to write onto the activity, this might be null.
/// </summary>
/// <param name="credentialFactory">A <see cref="ServiceClientCredentialsFactory"/> to use.</param>
/// <param name="claimsIdentity">The inbound claims.</param>
/// <param name="callerId">The default callerId to use if this is not a skill.</param>
/// <param name="cancellationToken">A cancellation token.</param>
/// <returns>The callerId, this might be null.</returns>
protected internal async Task <string> GenerateCallerIdAsync(ServiceClientCredentialsFactory credentialFactory, ClaimsIdentity claimsIdentity, string callerId, CancellationToken cancellationToken)
{
// Is the bot accepting all incoming messages?
if (await credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
// Return null so that the callerId is cleared.
return(null);
}
// Is the activity from another bot?
return(SkillValidation.IsSkillClaim(claimsIdentity.Claims)
? $"{CallerIdConstants.BotToBotPrefix}{JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims)}"
: callerId);
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation.AuthenticateRequest(activity, authHeader, new DelegatingCredentialProvider(_credentialFactory), GetChannelProvider(), _authConfiguration, _httpClient).ConfigureAwait(false);
var scope = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, cancellationToken).ConfigureAwait(false);
var connectorFactory = new ConnectorFactoryImpl(GetAppId(claimsIdentity), _toChannelFromBotOAuthScope, _loginEndpoint, true, _credentialFactory, _httpClient, _logger);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Scope = scope, CallerId = callerId, ConnectorFactory = connectorFactory
});
}
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken)
{
var claimsIdentity = await JwtTokenValidation_AuthenticateRequestAsync(activity, authHeader, _credentialFactory, _authConfiguration, _httpClient, cancellationToken).ConfigureAwait(false);
var scope = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, cancellationToken).ConfigureAwait(false);
var connectorFactory = new ConnectorFactoryImpl(BuiltinBotFrameworkAuthentication.GetAppId(claimsIdentity), _toChannelFromBotOAuthScope, _toChannelFromBotLoginUrl, _validateAuthority, _credentialFactory, _httpClient, _logger);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Scope = scope, CallerId = callerId, ConnectorFactory = connectorFactory
});
}
internal static async Task ValidateIdentityAsync(ClaimsIdentity identity, ICredentialProvider credentials)
{
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException("Invalid Identity");
}
if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException("Token Not Authenticated");
}
var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim);
if (versionClaim == null)
{
// No version claim
throw new UnauthorizedAccessException($"'{AuthenticationConstants.VersionClaim}' claim is required on skill Tokens.");
}
// Look for the "aud" claim, but only if issued from the Bot Framework
var audienceClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.AudienceClaim)?.Value;
if (string.IsNullOrWhiteSpace(audienceClaim))
{
// Claim is not present or doesn't have a value. Not Authorized.
throw new UnauthorizedAccessException($"'{AuthenticationConstants.AudienceClaim}' claim is required on skill Tokens.");
}
if (!await credentials.IsValidAppIdAsync(audienceClaim).ConfigureAwait(false))
{
// The AppId is not valid. Not Authorized.
throw new UnauthorizedAccessException("Invalid audience.");
}
var appId = JwtTokenValidation.GetAppIdFromClaims(identity.Claims);
if (string.IsNullOrWhiteSpace(appId))
{
// Invalid appId
throw new UnauthorizedAccessException("Invalid appId.");
}
}
/// <summary>
/// Validate a list of claims and throw an exception if it fails.
/// </summary>
/// <param name="claims">The list of claims to validate.</param>
/// <returns>True if the validation is successful, false if not.</returns>
public override Task ValidateClaimsAsync(IList <Claim> claims)
{
if (claims == null)
{
throw new ArgumentNullException(nameof(claims));
}
// If _allowedCallers contains an "*", allow all callers.
if (SkillValidation.IsSkillClaim(claims) &&
!_allowedCallers.Contains("*"))
{
// Check that the appId claim in the skill request is in the list of callers configured for this bot.
var applicationId = JwtTokenValidation.GetAppIdFromClaims(claims);
if (!_allowedCallers.Contains(applicationId))
{
throw new UnauthorizedAccessException(
$"Received a request from a bot with an app ID of \"{applicationId}\". To enable requests from this caller, add the app ID to the configured set of allowedCallers.");
}
}
return(Task.CompletedTask);
}
public override async Task <AuthenticateRequestResult> AuthenticateStreamingRequestAsync(string authHeader, string channelIdHeader, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(channelIdHeader) && !await _credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
throw new UnauthorizedAccessException();
}
var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, channelIdHeader, null, cancellationToken).ConfigureAwait(false);
var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope;
var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false);
return(new AuthenticateRequestResult {
ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId
});
}