Fix for Skills endorsement check (#6846)

Co-authored-by: Tracy Boehrer <trboehre@microsoft.com>
microsoft · Sep 9, 2024 · 2eba921 · 2eba921
1 parent bfbbbca
commit 2eba921
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenExtractor.cs b/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenExtractor.cs
@@ -264,7 +264,7 @@ private async Task<ClaimsPrincipal> ValidateTokenAsync(string jwtToken, string c
  var keyId = parsedToken.SigningKey.KeyId;
  var endorsements = await _endorsementsData.GetConfigurationAsync().ConfigureAwait(false);
 
- // Note: On the Emulator Code Path, the endorsements collection is empty so the validation code
+ // Note: On the Emulator/Skills Code Path, the endorsements collection is empty so the validation code
  // below won't run. This is normal.
  if (!string.IsNullOrEmpty(keyId) && endorsements.TryGetValue(keyId, out var endorsementsForKey))
  {
@@ -287,10 +287,10 @@ private async Task<ClaimsPrincipal> ValidateTokenAsync(string jwtToken, string c
  }
  else 
  {
- // If we are to skip endorsement check, we want to double check we are in the emulator by explictly checking the token
+ // If we are to skip endorsement check, we want to double check we are in the emulator/skill by explicitly checking the token
  // Instead of assuming that the token is from the emulator based on the empty endorsements collection
- var originalAuthHeader = "Bearer " + jwtToken; // We have to add the Bearer scheme back in for the Emulator check
- if (!EmulatorValidation.IsTokenFromEmulator(originalAuthHeader)) 
+ var originalAuthHeader = "Bearer " + jwtToken; // We have to add the Bearer scheme back in for the Emulator/Skill check
+ if (!EmulatorValidation.IsTokenFromEmulator(originalAuthHeader) && !SkillValidation.IsSkillToken(originalAuthHeader)) 
  {
  throw new UnauthorizedAccessException("Could not validate endorsement key.");
  }