From 2eba921dd7a15c486b67cb90e62ea7310b6e06eb Mon Sep 17 00:00:00 2001
From: tracyboehrer <tracyboehrer@users.noreply.github.com>
Date: Mon, 9 Sep 2024 10:33:46 -0500
Subject: [PATCH] Fix for Skills endorsement check (#6846)

Co-authored-by: Tracy Boehrer <trboehre@microsoft.com>
---
 .../Authentication/JwtTokenExtractor.cs                   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenExtractor.cs b/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenExtractor.cs
index 6e87659a27..0110de3388 100644
--- a/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenExtractor.cs
+++ b/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenExtractor.cs
@@ -264,7 +264,7 @@ private async Task<ClaimsPrincipal> ValidateTokenAsync(string jwtToken, string c
                 var keyId = parsedToken.SigningKey.KeyId;
                 var endorsements = await _endorsementsData.GetConfigurationAsync().ConfigureAwait(false);
 
-                // Note: On the Emulator Code Path, the endorsements collection is empty so the validation code
+                // Note: On the Emulator/Skills Code Path, the endorsements collection is empty so the validation code
                 // below won't run. This is normal.
                 if (!string.IsNullOrEmpty(keyId) && endorsements.TryGetValue(keyId, out var endorsementsForKey))
                 {
@@ -287,10 +287,10 @@ private async Task<ClaimsPrincipal> ValidateTokenAsync(string jwtToken, string c
                 }
                 else 
                 {
-                    // If we are to skip endorsement check, we want to double check we are in the emulator by explictly checking the token
+                    // If we are to skip endorsement check, we want to double check we are in the emulator/skill by explicitly checking the token
                     // Instead of assuming that the token is from the emulator based on the empty endorsements collection
-                    var originalAuthHeader = "Bearer " + jwtToken; // We have to add the Bearer scheme back in for the Emulator check
-                    if (!EmulatorValidation.IsTokenFromEmulator(originalAuthHeader)) 
+                    var originalAuthHeader = "Bearer " + jwtToken; // We have to add the Bearer scheme back in for the Emulator/Skill check
+                    if (!EmulatorValidation.IsTokenFromEmulator(originalAuthHeader) && !SkillValidation.IsSkillToken(originalAuthHeader)) 
                     {
                         throw new UnauthorizedAccessException("Could not validate endorsement key.");
                     }