search

OfficeDev / Microsoft-Teams-Samples

Welcome to the Microsoft Teams samples repository. Here you will find task-focused samples in C#, JavaScript and TypeScript to help you get started with the Microsoft Teams App!
MIT License
995 stars 769 forks source link

JWT Token Validation Not Rejecting Malformed Requests with CloudAdapter #1430

Open yashgandhi-32 opened 2 hours ago

yashgandhi-32 commented 2 hours ago

Description: I am using CloudAdapter from the botbuilder package and the createBotFrameworkAuthenticationFromConfiguration method for authentication. However, when I send a request with a malfunctioned JWT token, the request is not rejected by the SDK. I need guidance on how to secure the server to reject any requests that do not originate from Azure Bot Service.

Here’s a snippet of the authentication setup:

createBotFrameworkAuthenticationFromConfiguration(
    null,
    new ConfigurationServiceClientCredentialFactory({
      MicrosoftAppId: configService.get<string>('MICROSOFT_APP_ID'),
      MicrosoftAppPassword: configService.get<string>('MICROSOFT_APP_PASSWORD'),
      MicrosoftAppTenantId: configService.get<string>('MICROSOFT_APP_TENANT_ID'),
      MicrosoftAppType: configService.get<string>('MICROSOFT_APP_TYPE'),
    }),
  ),

Question: How can I ensure that only valid requests from Azure Bot Service with proper JWT tokens are accepted, and any malformed requests are rejected? Is there additional validation or middleware I should implement?

microsoft-github-policy-service[bot] commented 2 hours ago

Hi @yashgandhi-32! Thank you for bringing this issue to our attention. We will investigate and if we require further information we will reach out in one business day. Please use this link to escalate if you don't get replies.

Best regards, Teams Platform