microsoft · sdawodu · Jul 12, 2022 · Jul 12, 2022 · Jul 12, 2022 · Jul 13, 2022
diff --git a/libraries/botbuilder-core/requirements.txt b/libraries/botbuilder-core/requirements.txt
@@ -3,6 +3,6 @@ botframework-connector==4.15.0
 botbuilder-schema==4.15.0
 botframework-streaming==4.15.0
 requests==2.27.1
-PyJWT==1.5.3
+PyJWT==2.4.0
 cryptography==3.3.2
 aiounittest==1.3.0
diff --git a/libraries/botbuilder-dialogs/requirements.txt b/libraries/botbuilder-dialogs/requirements.txt
@@ -3,6 +3,6 @@ botframework-connector==4.15.0
 botbuilder-schema==4.15.0
 botbuilder-core==4.15.0
 requests==2.27.1
-PyJWT==1.5.3
+PyJWT==2.4.0
 cryptography==3.3.2
 aiounittest==1.3.0
diff --git a/libraries/botframework-connector/botframework/connector/auth/emulator_validation.py b/libraries/botframework-connector/botframework/connector/auth/emulator_validation.py
@@ -63,7 +63,7 @@ def is_token_from_emulator(auth_header: str) -> bool:
         bearer_token = auth_header.split(" ")[1]
 
         # Parse the Big Long String into an actual token.
-        token = jwt.decode(bearer_token, verify=False)
+        token = jwt.decode(bearer_token, options={"verify_signature": False})
         if not token:
             return False
 

diff --git a/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py b/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py
@@ -68,7 +68,7 @@ async def get_identity(
             raise error
 
     def _has_allowed_issuer(self, jwt_token: str) -> bool:
-        decoded = jwt.decode(jwt_token, verify=False)
+        decoded = jwt.decode(jwt_token, options={"verify_signature": False})
         issuer = decoded.get("iss", None)
         if issuer in self.validation_parameters.issuer:
             return True
@@ -111,6 +111,7 @@ async def _validate_token(
             metadata.public_key,
             leeway=self.validation_parameters.clock_tolerance,
             options=options,
+            algorithms=["RS256"]
         )
 
         claims = ClaimsIdentity(decoded_payload, True)

diff --git a/libraries/botframework-connector/botframework/connector/auth/skill_validation.py b/libraries/botframework-connector/botframework/connector/auth/skill_validation.py
@@ -55,7 +55,7 @@ def is_skill_token(auth_header: str) -> bool:
         bearer_token = auth_header.split(" ")[1]
 
         # Parse the Big Long String into an actual token.
-        token = jwt.decode(bearer_token, verify=False)
+        token = jwt.decode(bearer_token, options={"verify_signature": False})
         return SkillValidation.is_skill_claim(token)
 
     @staticmethod

diff --git a/libraries/botframework-connector/requirements.txt b/libraries/botframework-connector/requirements.txt
@@ -1,6 +1,6 @@
 msrest==0.6.*
 botbuilder-schema==4.15.0
 requests==2.27.1
-PyJWT==1.5.3
+PyJWT==2.4.0
 cryptography==3.3.2
 msal==1.*
diff --git a/libraries/botframework-connector/setup.py b/libraries/botframework-connector/setup.py
@@ -8,8 +8,8 @@
 VERSION = os.environ["packageVersion"] if "packageVersion" in os.environ else "4.15.0"
 REQUIRES = [
     "msrest==0.6.*",
-    "requests>=2.23.0,<2.26",
-    "PyJWT>=1.5.3,<2.0.0",
+    # "requests>=2.23.0,<2.26",
+    "PyJWT>=2.4.0",
     "botbuilder-schema==4.15.0",
     "msal==1.*",
 ]