/// <summary> /// Checks if the given list of claims represents a skill. /// </summary> /// <remarks> /// A skill claim should contain: /// An <see cref="AuthenticationConstants.VersionClaim"/> claim. /// An <see cref="AuthenticationConstants.AudienceClaim"/> claim. /// An <see cref="AuthenticationConstants.AppIdClaim"/> claim (v1) or an a <see cref="AuthenticationConstants.AuthorizedParty"/> claim (v2). /// And the appId claim should be different than the audience claim. /// When a channel (webchat, teams, etc.) invokes a bot, the <see cref="AuthenticationConstants.AudienceClaim"/> /// is set to <see cref="AuthenticationConstants.ToBotFromChannelTokenIssuer"/> but when a bot calls another bot, /// the audience claim is set to the appId of the bot being invoked. /// The protocol supports v1 and v2 tokens: /// For v1 tokens, the <see cref="AuthenticationConstants.AppIdClaim"/> is present and set to the app Id of the calling bot. /// For v2 tokens, the <see cref="AuthenticationConstants.AuthorizedParty"/> is present and set to the app Id of the calling bot. /// </remarks> /// <param name="claims">A list of claims.</param> /// <returns>True if the list of claims is a skill claim, false if is not.</returns> public static bool IsSkillClaim(IEnumerable <Claim> claims) { var claimsList = claims.ToList(); if (claimsList.Any(c => c.Value == AuthenticationConstants.AnonymousSkillAppId && c.Type == AuthenticationConstants.AppIdClaim)) { return(true); } var version = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.VersionClaim); if (string.IsNullOrWhiteSpace(version?.Value)) { // Must have a version claim. return(false); } var audience = claimsList.FirstOrDefault(claim => claim.Type == AuthenticationConstants.AudienceClaim)?.Value; if (string.IsNullOrWhiteSpace(audience) || AuthenticationConstants.ToBotFromChannelTokenIssuer.Equals(audience, StringComparison.OrdinalIgnoreCase)) { // The audience is https://api.botframework.com and not an appId. return(false); } var appId = JwtTokenValidation.GetAppIdFromClaims(claimsList); if (string.IsNullOrWhiteSpace(appId)) { return(false); } // Skill claims must contain and app ID and the AppID must be different than the audience. return(appId != audience); }
/// <inheritdoc/> public override Task ValidateClaimsAsync(IList <Claim> claims) { if (SkillValidation.IsSkillClaim(claims)) { // Check that the appId claim in the skill request is in the list of skills configured for this bot. var appId = JwtTokenValidation.GetAppIdFromClaims(claims); if (!_allowedSkills.Contains(appId)) { throw new UnauthorizedAccessException($"Received a request from an application with an appID of \"{appId}\". To enable requests from this skill, add the skill to your configuration file."); } } return(Task.CompletedTask); }
internal static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialProvider credentials) { if (identity == null) { // No valid identity. Not Authorized. throw new UnauthorizedAccessException("Invalid Identity"); } if (!identity.IsAuthenticated) { // The token is in some way invalid. Not Authorized. throw new UnauthorizedAccessException("Token Not Authenticated"); } var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim); if (versionClaim == null) { // No version claim throw new UnauthorizedAccessException($"'{AuthenticationConstants.VersionClaim}' claim is required on skill Tokens."); } // Look for the "aud" claim, but only if issued from the Bot Framework var audienceClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.AudienceClaim)?.Value; if (string.IsNullOrWhiteSpace(audienceClaim)) { // Claim is not present or doesn't have a value. Not Authorized. throw new UnauthorizedAccessException($"'{AuthenticationConstants.AudienceClaim}' claim is required on skill Tokens."); } if (!await credentials.IsValidAppIdAsync(audienceClaim).ConfigureAwait(false)) { // The AppId is not valid. Not Authorized. throw new UnauthorizedAccessException($"Invalid audience."); } var appId = JwtTokenValidation.GetAppIdFromClaims(identity.Claims); if (string.IsNullOrWhiteSpace(appId)) { // Invalid appId throw new UnauthorizedAccessException($"Invalid appId."); } // TODO: check the appId against the registered skill client IDs. // Check the AppId and ensure that only works against my whitelist authConfig can have info on how to get the // whitelist AuthenticationConfiguration // We may need to add a ClaimsIdentityValidator delegate or class that allows the dev to inject a custom validator. }
/// <summary> /// Generates the appropriate callerId to write onto the activity, this might be null. /// </summary> /// <param name="credentialFactory">A <see cref="ServiceClientCredentialsFactory"/> to use.</param> /// <param name="claimsIdentity">The inbound claims.</param> /// <param name="callerId">The default callerId to use if this is not a skill.</param> /// <param name="cancellationToken">A cancellation token.</param> /// <returns>The callerId, this might be null.</returns> protected internal async Task <string> GenerateCallerIdAsync(ServiceClientCredentialsFactory credentialFactory, ClaimsIdentity claimsIdentity, string callerId, CancellationToken cancellationToken) { // Is the bot accepting all incoming messages? if (await credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false)) { // Return null so that the callerId is cleared. return(null); } // Is the activity from another bot? return(SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? $"{CallerIdConstants.BotToBotPrefix}{JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims)}" : callerId); }
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken) { var claimsIdentity = await JwtTokenValidation.AuthenticateRequest(activity, authHeader, new DelegatingCredentialProvider(_credentialFactory), GetChannelProvider(), _authConfiguration, _httpClient).ConfigureAwait(false); var scope = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope; var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, cancellationToken).ConfigureAwait(false); var connectorFactory = new ConnectorFactoryImpl(GetAppId(claimsIdentity), _toChannelFromBotOAuthScope, _loginEndpoint, true, _credentialFactory, _httpClient, _logger); return(new AuthenticateRequestResult { ClaimsIdentity = claimsIdentity, Scope = scope, CallerId = callerId, ConnectorFactory = connectorFactory }); }
public override async Task <AuthenticateRequestResult> AuthenticateRequestAsync(Activity activity, string authHeader, CancellationToken cancellationToken) { var claimsIdentity = await JwtTokenValidation_AuthenticateRequestAsync(activity, authHeader, _credentialFactory, _authConfiguration, _httpClient, cancellationToken).ConfigureAwait(false); var scope = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope; var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, cancellationToken).ConfigureAwait(false); var connectorFactory = new ConnectorFactoryImpl(BuiltinBotFrameworkAuthentication.GetAppId(claimsIdentity), _toChannelFromBotOAuthScope, _toChannelFromBotLoginUrl, _validateAuthority, _credentialFactory, _httpClient, _logger); return(new AuthenticateRequestResult { ClaimsIdentity = claimsIdentity, Scope = scope, CallerId = callerId, ConnectorFactory = connectorFactory }); }
internal static async Task ValidateIdentityAsync(ClaimsIdentity identity, ICredentialProvider credentials) { if (identity == null) { // No valid identity. Not Authorized. throw new UnauthorizedAccessException("Invalid Identity"); } if (!identity.IsAuthenticated) { // The token is in some way invalid. Not Authorized. throw new UnauthorizedAccessException("Token Not Authenticated"); } var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim); if (versionClaim == null) { // No version claim throw new UnauthorizedAccessException($"'{AuthenticationConstants.VersionClaim}' claim is required on skill Tokens."); } // Look for the "aud" claim, but only if issued from the Bot Framework var audienceClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.AudienceClaim)?.Value; if (string.IsNullOrWhiteSpace(audienceClaim)) { // Claim is not present or doesn't have a value. Not Authorized. throw new UnauthorizedAccessException($"'{AuthenticationConstants.AudienceClaim}' claim is required on skill Tokens."); } if (!await credentials.IsValidAppIdAsync(audienceClaim).ConfigureAwait(false)) { // The AppId is not valid. Not Authorized. throw new UnauthorizedAccessException("Invalid audience."); } var appId = JwtTokenValidation.GetAppIdFromClaims(identity.Claims); if (string.IsNullOrWhiteSpace(appId)) { // Invalid appId throw new UnauthorizedAccessException("Invalid appId."); } }
/// <summary> /// Validate a list of claims and throw an exception if it fails. /// </summary> /// <param name="claims">The list of claims to validate.</param> /// <returns>True if the validation is successful, false if not.</returns> public override Task ValidateClaimsAsync(IList <Claim> claims) { if (claims == null) { throw new ArgumentNullException(nameof(claims)); } // If _allowedCallers contains an "*", allow all callers. if (SkillValidation.IsSkillClaim(claims) && !_allowedCallers.Contains("*")) { // Check that the appId claim in the skill request is in the list of callers configured for this bot. var applicationId = JwtTokenValidation.GetAppIdFromClaims(claims); if (!_allowedCallers.Contains(applicationId)) { throw new UnauthorizedAccessException( $"Received a request from a bot with an app ID of \"{applicationId}\". To enable requests from this caller, add the app ID to the configured set of allowedCallers."); } } return(Task.CompletedTask); }
public override async Task <AuthenticateRequestResult> AuthenticateStreamingRequestAsync(string authHeader, string channelIdHeader, CancellationToken cancellationToken) { if (string.IsNullOrWhiteSpace(channelIdHeader) && !await _credentialFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false)) { throw new UnauthorizedAccessException(); } var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, channelIdHeader, null, cancellationToken).ConfigureAwait(false); var outboundAudience = SkillValidation.IsSkillClaim(claimsIdentity.Claims) ? JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims) : _toChannelFromBotOAuthScope; var callerId = await GenerateCallerIdAsync(_credentialFactory, claimsIdentity, _callerId, cancellationToken).ConfigureAwait(false); return(new AuthenticateRequestResult { ClaimsIdentity = claimsIdentity, Audience = outboundAudience, CallerId = callerId }); }