Validate incoming JWT tokens from the bot framework

[losterloh]

Proposed changes:
This PR enables JSON Web Token validation for the JWTs coming in from the Azure botframework channel. This is achieved by periodically updating the keys that Microsoft uses to sign the tokens, saving those in memory, and then validating the tokens and verifying their signature for incoming requests from the bot framework.
For details on how the botframework does authentication, see here.

Status (please check what you already did):

• added some tests for the functionality
• updated the documentation
• updated the changelog (please check changelog for instructions)
• reformat files using black (please check Readme for instructions)

[losterloh]

For now, I'd say a daily update of the JWT keys is plenty, and also currently no need to make this configurable.

[ancalita]

Looks good 😎
Made some style suggestions, and if possible, some unit tests covering different scenarios for peace of mind 🙏🏼

[losterloh]

@ancalita I think I found a good way to test the auth stuff, thanks for pointing that out. Also, made me learn a lot about JWT in the process 😅

[ancalita]

Great work 💯
Left some existential questions about the type of status to be returned in some cases 😄 .
Also please look at the additional comments in the unit tests to strengthen the existing assertions 💪🏼

[github-actions]

🚀 A preview of the docs have been deployed at the following URL: https://11129--rasahq-docs-rasa-v2.netlify.app/docs/rasa

[ancalita]

🎉 Thank you for addressing those extra assertions 💯

[Maxinho96]

Hello, thank you for implementing this.
Before this change I addressed this issue myself using a custom channel component. I leveraged the jwt.PyJWKClient (ref), which should already handle caching (ref). The important thing is to keep an instance of the PyJWKClient in the channel object for its whole lifecycle, like this:

@cached_property # This ensures the jwks_client is instantiated only at the first call
def jwks_client(self) -> PyJWKClient:
    try:
        openid_metadata = requests.get(
            "https://login.botframework.com/v1/.well-known/openidconfiguration"
        ).json()
        jwks_uri = openid_metadata["jwks_uri"]
        jwks_client = PyJWKClient(jwks_uri)
    except Exception as e:
        logger.exception(e)
        raise sanic.exceptions.Unauthorized(
            "Cannot retrieve the Botframework JWKS URI."
        )

    return jwks_client

def _check_jwt(self, request: Request) -> None:
    try:
        key = self.jwks_client.get_signing_key_from_jwt(request.token).key
    except Exception as e:
        logger.exception(e)
        raise sanic.exceptions.Unauthorized(
            "Cannot retrieve the Botframework public key."
        )

    try:
        jwt.decode(
            request.token, key, audience=self.app_id, algorithms=["RS256"]
        )
    except jwt.exceptions.ExpiredSignatureError as e:
        logger.exception(e)
        raise sanic.exceptions.SanicException(
            status_code=440,
            message="The JWT has expired.",
            quiet=True,
        )
    except jwt.InvalidSignatureError as e:
        logger.exception(e)
        raise sanic.exceptions.Unauthorized("Invalid JWT signature.")
    except Exception as e:
        logger.exception(e)
        raise sanic.exceptions.Unauthorized("Could not verify JWT.")

You could consider switching to this class instead of handling cache by your own. Hope you find this useful.

[losterloh]

@Maxinho96 thank you for pointing thejwt.PyJWKClient out, did not know about that one before and looks great! We'll consider refactoring this again to use that.