JWT Token Validation Not Rejecting Malformed Requests with CloudAdapter

[yashgandhi-32]

Description: I am using CloudAdapter from the botbuilder package and the createBotFrameworkAuthenticationFromConfiguration method for authentication. However, when I send a request with a malfunctioned JWT token, the request is not rejected by the SDK. I need guidance on how to secure the server to reject any requests that do not originate from Azure Bot Service.

Here’s a snippet of the authentication setup:

createBotFrameworkAuthenticationFromConfiguration(
    null,
    new ConfigurationServiceClientCredentialFactory({
      MicrosoftAppId: configService.get<string>('MICROSOFT_APP_ID'),
      MicrosoftAppPassword: configService.get<string>('MICROSOFT_APP_PASSWORD'),
      MicrosoftAppTenantId: configService.get<string>('MICROSOFT_APP_TENANT_ID'),
      MicrosoftAppType: configService.get<string>('MICROSOFT_APP_TYPE'),
    }),
  ),

Question: How can I ensure that only valid requests from Azure Bot Service with proper JWT tokens are accepted, and any malformed requests are rejected? Is there additional validation or middleware I should implement?

[microsoft-github-policy-service]

Hi @yashgandhi-32! Thank you for bringing this issue to our attention. We will investigate and if we require further information we will reach out in one business day. Please use this link to escalate if you don't get replies.

Best regards, Teams Platform

[Meghana-MSFT]

@yashgandhi-32 - We will check this internally and get back to you.

[yashgandhi-32]

@Meghana-MSFT any update?

[Meghana-MSFT]

@yashgandhi-32 - We are checking this internally with engineering team. We will get back to you with an update.

[yashgandhi-32]

@Meghana-MSFT Its been a month .. could you tell me what's the update ?

[yashgandhi-32]

Bump @Prasad-MSFT @Nivedipa-MSFT ? could you pls help here. Thanks