fix: [#4544] JwtTokenExtractor.getIdentity:err! FetchError: request to https://login.botframework.com/v1/.well-known/openidconfiguration (#4583)

* Provide proxy setting to openIdMetadata

* Replace @azure/ms-rest-js with @azure/core-http

* Add missing agent settings in getKeys call

Author: ceciliaavila

libraries/botframework-connector/package.json

@@ -34,7 +34,9 @@
     "botbuilder-stdlib": "4.1.6",
     "botframework-schema": "4.1.6",
     "cross-fetch": "^3.0.5",
+    "https-proxy-agent": "^7.0.2",
     "jsonwebtoken": "^9.0.0",
+    "node-fetch": "^2.6.7",
     "rsa-pem-from-mod-exp": "^0.8.4",
     "zod": "^3.22.4",
     "openssl-wrapper": "^0.3.4"

libraries/botframework-connector/src/auth/jwtTokenExtractor.ts

@@ -12,6 +12,7 @@ import { EndorsementsValidator } from './endorsementsValidator';
 import { OpenIdMetadata } from './openIdMetadata';
 import { AuthenticationError } from './authenticationError';
 import { StatusCodes } from 'botframework-schema';
+import { ProxySettings } from '@azure/core-http';
 
 /**
  * A JWT token processing class that gets identity information and performs security token validation.
@@ -32,17 +33,23 @@ export class JwtTokenExtractor {
      * @param tokenValidationParameters Token validation parameters.
      * @param metadataUrl Metadata Url.
      * @param allowedSigningAlgorithms Allowed signing algorithms.
+     * @param proxySettings The proxy settings for the request.
      */
-    constructor(tokenValidationParameters: VerifyOptions, metadataUrl: string, allowedSigningAlgorithms: string[]) {
+    constructor(
+        tokenValidationParameters: VerifyOptions,
+        metadataUrl: string,
+        allowedSigningAlgorithms: string[],
+        proxySettings?: ProxySettings
+    ) {
         this.tokenValidationParameters = { ...tokenValidationParameters };
         this.tokenValidationParameters.algorithms = allowedSigningAlgorithms;
-        this.openIdMetadata = JwtTokenExtractor.getOrAddOpenIdMetadata(metadataUrl);
+        this.openIdMetadata = JwtTokenExtractor.getOrAddOpenIdMetadata(metadataUrl, proxySettings);
     }
 
-    private static getOrAddOpenIdMetadata(metadataUrl: string): OpenIdMetadata {
+    private static getOrAddOpenIdMetadata(metadataUrl: string, proxySettings?: ProxySettings): OpenIdMetadata {
         let metadata = this.openIdMetadataCache.get(metadataUrl);
         if (!metadata) {
-            metadata = new OpenIdMetadata(metadataUrl);
+            metadata = new OpenIdMetadata(metadataUrl, proxySettings);
             this.openIdMetadataCache.set(metadataUrl, metadata);
         }
 

libraries/botframework-connector/src/auth/openIdMetadata.ts

@@ -8,9 +8,11 @@
 
 import * as getPem from 'rsa-pem-from-mod-exp';
 import base64url from 'base64url';
-import fetch from 'cross-fetch';
+import fetch from 'node-fetch';
+import { HttpsProxyAgent } from 'https-proxy-agent';
 import { AuthenticationError } from './authenticationError';
 import { StatusCodes } from 'botframework-schema';
+import { ProxySettings } from '@azure/core-http';
 
 /**
  * Class in charge of manage OpenId metadata.
@@ -23,8 +25,9 @@ export class OpenIdMetadata {
      * Initializes a new instance of the [OpenIdMetadata](xref:botframework-connector.OpenIdMetadata) class.
      *
      * @param url Metadata Url.
+     * @param proxySettings The proxy settings for the request.
      */
-    constructor(private url: string) {}
+    constructor(private url: string, private proxySettings?: ProxySettings) {}
 
     /**
      * Gets the Signing key.
@@ -56,12 +59,17 @@ export class OpenIdMetadata {
      * @private
      */
     private async refreshCache(): Promise<void> {
-        const res = await fetch(this.url);
+        let agent = null;
+        if (this.proxySettings) {
+            const proxyUrl = `http://${this.proxySettings.host}:${this.proxySettings.port}`;
+            agent = new HttpsProxyAgent(proxyUrl);
+        }
+        const res = await fetch(this.url, { agent: agent });
 
         if (res.ok) {
             const openIdConfig = (await res.json()) as IOpenIdConfig;
 
-            const getKeyResponse = await fetch(openIdConfig.jwks_uri);
+            const getKeyResponse = await fetch(openIdConfig.jwks_uri, { agent: agent });
             if (getKeyResponse.ok) {
                 this.lastUpdated = new Date().getTime();
                 this.keys = (await getKeyResponse.json()).keys as IKey[];

libraries/botframework-connector/src/auth/parameterizedBotFrameworkAuthentication.ts

@@ -303,7 +303,8 @@ export class ParameterizedBotFrameworkAuthentication extends BotFrameworkAuthent
         const tokenExtractor = new JwtTokenExtractor(
             verifyOptions,
             this.toBotFromEmulatorOpenIdMetadataUrl,
-            AuthenticationConstants.AllowedSigningAlgorithms
+            AuthenticationConstants.AllowedSigningAlgorithms,
+            this.connectorClientOptions?.proxySettings
         );
 
         const parts: string[] = authHeader.split(' ');
@@ -389,7 +390,8 @@ export class ParameterizedBotFrameworkAuthentication extends BotFrameworkAuthent
         const tokenExtractor: JwtTokenExtractor = new JwtTokenExtractor(
             verifyOptions,
             this.toBotFromEmulatorOpenIdMetadataUrl,
-            AuthenticationConstants.AllowedSigningAlgorithms
+            AuthenticationConstants.AllowedSigningAlgorithms,
+            this.connectorClientOptions?.proxySettings
         );
 
         const identity: ClaimsIdentity = await tokenExtractor.getIdentityFromAuthHeader(
@@ -475,7 +477,8 @@ export class ParameterizedBotFrameworkAuthentication extends BotFrameworkAuthent
         const tokenExtractor: JwtTokenExtractor = new JwtTokenExtractor(
             tokenValidationParameters,
             this.toBotFromChannelOpenIdMetadataUrl,
-            AuthenticationConstants.AllowedSigningAlgorithms
+            AuthenticationConstants.AllowedSigningAlgorithms,
+            this.connectorClientOptions?.proxySettings
         );
 
         const identity: ClaimsIdentity = await tokenExtractor.getIdentityFromAuthHeader(

yarn.lock

@@ -2782,6 +2782,13 @@ agent-base@6:
   dependencies:
     debug "4"
 
+agent-base@^7.0.2:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/agent-base/-/agent-base-7.1.0.tgz#536802b76bc0b34aa50195eb2442276d613e3434"
+  integrity sha512-o/zjMZRhJxny7OyEF+Op8X+efiELC7k7yOjMzgfzVqOzXqkBkWI79YoTdOtsuWd5BWhAGAuOY/Xa6xpiaWXiNg==
+  dependencies:
+    debug "^4.3.4"
+
 agentkeepalive@^4.1.3:
   version "4.1.4"
   resolved "https://registry.yarnpkg.com/agentkeepalive/-/agentkeepalive-4.1.4.tgz#d928028a4862cb11718e55227872e842a44c945b"
@@ -7398,6 +7405,14 @@ [email protected], https-proxy-agent@^5.0.0:
     agent-base "6"
     debug "4"
 
+https-proxy-agent@^7.0.2:
+  version "7.0.2"
+  resolved "https://registry.yarnpkg.com/https-proxy-agent/-/https-proxy-agent-7.0.2.tgz#e2645b846b90e96c6e6f347fb5b2e41f1590b09b"
+  integrity sha512-NmLNjm6ucYwtcUmL7JQC1ZQ57LmHP4lT15FQ8D61nak1rO6DH+fz5qNK2Ap5UN4ZapYICE3/0KodcLYSPsPbaA==
+  dependencies:
+    agent-base "^7.0.2"
+    debug "4"
+
 humanize-ms@^1.2.1:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/humanize-ms/-/humanize-ms-1.2.1.tgz#c46e3159a293f6b896da29316d8b6fe8bb79bbed"