Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bot is not accepting v2 tokens from Bot Framework Emulator - Single Tenant Bots #6877

Open
sainath-reddy-gnv opened this issue Dec 16, 2024 · 4 comments
Assignees
Labels
bug Indicates an unexpected problem or an unintended behavior.

Comments

@sainath-reddy-gnv
Copy link

Version

latest

Describe the bug

Bot fails with the error below when bot is called from emulator by passing Microsoft App ID, Microsoft App password, Tenant ID

fail: Microsoft.Bot.Builder.Integration.AspNet.Core.IBotFrameworkHttpAdapter[0]
      System.UnauthorizedAccessException: No valid identity
         at Microsoft.Bot.Connector.Authentication.ChannelValidation.AuthenticateChannelToken(String authHeader, ICredentialProvider credentials, HttpClient httpClient, String channelId, AuthenticationConfiguration authConfig)
         at Microsoft.Bot.Connector.Authentication.ChannelValidation.AuthenticateChannelToken(String authHeader, ICredentialProvider credentials, String serviceUrl, HttpClient httpClient, String channelId, AuthenticationConfiguration authConfig)       
         at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.AuthenticateTokenAsync(String authHeader, ICredentialProvider credentials, IChannelProvider channelProvider, String channelId, AuthenticationConfiguration authConfig, String serviceUrl, HttpClient httpClient)
         at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.ValidateAuthHeader(String authHeader, ICredentialProvider credentials, IChannelProvider channelProvider, String channelId, AuthenticationConfiguration authConfig, String serviceUrl, HttpClient httpClient)
         at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.AuthenticateRequest(IActivity activity, String authHeader, ICredentialProvider credentials, IChannelProvider provider, AuthenticationConfiguration authConfig, HttpClient httpClient) 
         at Microsoft.Bot.Connector.Authentication.BuiltinBotFrameworkAuthentication.AuthenticateRequestAsync(Activity activity, String authHeader, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.CloudAdapterBase.ProcessActivityAsync(String authHeader, Activity activity, BotCallbackHandler callback, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.Integration.AspNet.Core.CloudAdapter.ProcessAsync(HttpRequest httpRequest, HttpResponse httpResponse, IBot bot, CancellationToken cancellationToken)

To Reproduce

Steps to reproduce the behavior:

  1. Edit manifest of bot app registration to accept only v2 tokens

Image

  1. Run the Echo Bot Sample with the configuration below:
{
  "MicrosoftAppType": "SingleTenant",
  "MicrosoftAppId": "<Microsoft App ID>",
  "MicrosoftAppPassword": "<Microsoft App password>",
  "MicrosoftAppTenantId": "<Tenant ID>"
}
  1. Run Bot Framework Emulator and call the bot by passing Microsoft App ID, Microsoft App password, Tenant ID configured in the appsetting.json of the bot

Expected behavior

Bot should allow v2 tokens.

The following code needs to be updated to allow v2 tokens when calls come from Emulator.

ToBotFromEmulatorTokenValidationParameters.ValidIssuers.Concat(new string[] { newIssuer });

@sainath-reddy-gnv sainath-reddy-gnv added bug Indicates an unexpected problem or an unintended behavior. needs-triage The issue has just been created and it has not been reviewed by the team. labels Dec 16, 2024
@sayali-MSFT
Copy link

Thank you for your inquiry about your Teams app development issue!
We are checking the issue. We will get back to you shortly.

@dmvtech
Copy link
Collaborator

dmvtech commented Dec 17, 2024

Hi @sainath-reddy-gnv

A few questions:

  • What version of the Bot.Builder SDK are you using?
  • What version of the Emulator are you using?
  • Are you using the localhost endpoint or an external endpoint with tunneling?
  • Can you confirm the status of the selection Use version 1.0 authentication tokens is set to in the Emulator settings?

@sainath-reddy-gnv
Copy link
Author

sainath-reddy-gnv commented Dec 17, 2024

Hi @dmvtech

I'm currently using the latest SDK code and the latest version of the Emulator. The issue is reproducible with the local endpoint.

I've tried selecting the "Use version 1.0 authentication tokens" option in the Emulator, but the token received by AD is still a v2 token. This is because we are modifying the app registration manifest to share v2 tokens.

Image

The problem lies in this code

ToBotFromEmulatorTokenValidationParameters.ValidIssuers.Concat(new string[] { newIssuer });

In a Single Tenant authentication scenario, when the Emulator sends a request with v2 tokens, we are not considering the endpoint https://login.microsoftonline.com/{tenant-id}/v2.0 as a valid issuer.

However, in a Multi Tenant authentication scenario, we have this endpoint added as a valid issuer:

"https://login.microsoftonline.com/d6d49420-f39b-4df7-a1dc-d59a935871db/v2.0", // Auth v3.1, 2.0 token

@dmvtech
Copy link
Collaborator

dmvtech commented Dec 17, 2024

Was able to reproduce. Needed to restart Emulator entirely after making the manifest change to "requestedAccessTokenVersion": 2.

@dmvtech dmvtech removed the needs-triage The issue has just been created and it has not been reviewed by the team. label Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Indicates an unexpected problem or an unintended behavior.
Projects
None yet
Development

No branches or pull requests

4 participants