From 3838b21217ff1429aaa5ddb2ee860900f6625cbb Mon Sep 17 00:00:00 2001 From: Tracy Boehrer Date: Thu, 27 Oct 2022 13:26:41 -0500 Subject: [PATCH 1/2] PyJWT udpated by sdawodu --- libraries/botbuilder-core/requirements.txt | 2 +- libraries/botbuilder-dialogs/requirements.txt | 2 +- .../botframework/connector/auth/emulator_validation.py | 2 +- .../botframework/connector/auth/jwt_token_extractor.py | 3 ++- .../botframework/connector/auth/skill_validation.py | 2 +- libraries/botframework-connector/requirements.txt | 2 +- libraries/botframework-connector/setup.py | 4 ++-- 7 files changed, 9 insertions(+), 8 deletions(-) diff --git a/libraries/botbuilder-core/requirements.txt b/libraries/botbuilder-core/requirements.txt index c933544d4..b87a22a74 100644 --- a/libraries/botbuilder-core/requirements.txt +++ b/libraries/botbuilder-core/requirements.txt @@ -3,6 +3,6 @@ botframework-connector==4.15.0 botbuilder-schema==4.15.0 botframework-streaming==4.15.0 requests==2.27.1 -PyJWT==1.5.3 +PyJWT==2.4.0 cryptography==3.3.2 aiounittest==1.3.0 \ No newline at end of file diff --git a/libraries/botbuilder-dialogs/requirements.txt b/libraries/botbuilder-dialogs/requirements.txt index 9508042c7..3907a2b3d 100644 --- a/libraries/botbuilder-dialogs/requirements.txt +++ b/libraries/botbuilder-dialogs/requirements.txt @@ -3,6 +3,6 @@ botframework-connector==4.15.0 botbuilder-schema==4.15.0 botbuilder-core==4.15.0 requests==2.27.1 -PyJWT==1.5.3 +PyJWT==2.4.0 cryptography==3.3.2 aiounittest==1.3.0 diff --git a/libraries/botframework-connector/botframework/connector/auth/emulator_validation.py b/libraries/botframework-connector/botframework/connector/auth/emulator_validation.py index c5daa588b..57c961ddc 100644 --- a/libraries/botframework-connector/botframework/connector/auth/emulator_validation.py +++ b/libraries/botframework-connector/botframework/connector/auth/emulator_validation.py @@ -63,7 +63,7 @@ def is_token_from_emulator(auth_header: str) -> bool: bearer_token = auth_header.split(" ")[1] # Parse the Big Long String into an actual token. - token = jwt.decode(bearer_token, verify=False) + token = jwt.decode(bearer_token, options={"verify_signature": False}) if not token: return False diff --git a/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py b/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py index 91dd5d221..6724894d4 100644 --- a/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py +++ b/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py @@ -68,7 +68,7 @@ async def get_identity( raise error def _has_allowed_issuer(self, jwt_token: str) -> bool: - decoded = jwt.decode(jwt_token, verify=False) + decoded = jwt.decode(jwt_token, options={"verify_signature": False}) issuer = decoded.get("iss", None) if issuer in self.validation_parameters.issuer: return True @@ -111,6 +111,7 @@ async def _validate_token( metadata.public_key, leeway=self.validation_parameters.clock_tolerance, options=options, + algorithms=["RS256"] ) claims = ClaimsIdentity(decoded_payload, True) diff --git a/libraries/botframework-connector/botframework/connector/auth/skill_validation.py b/libraries/botframework-connector/botframework/connector/auth/skill_validation.py index fb3f7a1a8..d23572e3f 100644 --- a/libraries/botframework-connector/botframework/connector/auth/skill_validation.py +++ b/libraries/botframework-connector/botframework/connector/auth/skill_validation.py @@ -55,7 +55,7 @@ def is_skill_token(auth_header: str) -> bool: bearer_token = auth_header.split(" ")[1] # Parse the Big Long String into an actual token. - token = jwt.decode(bearer_token, verify=False) + token = jwt.decode(bearer_token, options={"verify_signature": False}) return SkillValidation.is_skill_claim(token) @staticmethod diff --git a/libraries/botframework-connector/requirements.txt b/libraries/botframework-connector/requirements.txt index e68829865..118e3f311 100644 --- a/libraries/botframework-connector/requirements.txt +++ b/libraries/botframework-connector/requirements.txt @@ -1,6 +1,6 @@ msrest==0.6.* botbuilder-schema==4.15.0 requests==2.27.1 -PyJWT==1.5.3 +PyJWT==2.4.0 cryptography==3.3.2 msal==1.* diff --git a/libraries/botframework-connector/setup.py b/libraries/botframework-connector/setup.py index ba972fe69..15411c492 100644 --- a/libraries/botframework-connector/setup.py +++ b/libraries/botframework-connector/setup.py @@ -8,8 +8,8 @@ VERSION = os.environ["packageVersion"] if "packageVersion" in os.environ else "4.15.0" REQUIRES = [ "msrest==0.6.*", - "requests>=2.23.0,<2.26", - "PyJWT>=1.5.3,<2.0.0", + # "requests>=2.23.0,<2.26", + "PyJWT>=2.4.0", "botbuilder-schema==4.15.0", "msal==1.*", ] From 4720628a942f6c4d40c50f4dca01101fa7ddeb38 Mon Sep 17 00:00:00 2001 From: Tracy Boehrer Date: Thu, 27 Oct 2022 13:34:11 -0500 Subject: [PATCH 2/2] 'black' formatting --- .../botframework/connector/auth/jwt_token_extractor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py b/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py index 6724894d4..a030c3fb7 100644 --- a/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py +++ b/libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py @@ -111,7 +111,7 @@ async def _validate_token( metadata.public_key, leeway=self.validation_parameters.clock_tolerance, options=options, - algorithms=["RS256"] + algorithms=["RS256"], ) claims = ClaimsIdentity(decoded_payload, True)