GitDakky
diff --git a/‎doc/SkillClaimsValidation.md
Lines changed: 8 additions & 0 deletions b/‎doc/SkillClaimsValidation.md
Lines changed: 8 additions & 0 deletions
diff --git a/‎libraries/botbuilder-adapters-slack/tests/test_slack_client.py
Lines changed: 1 addition & 1 deletion b/‎libraries/botbuilder-adapters-slack/tests/test_slack_client.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎libraries/botbuilder-core/botbuilder/core/bot_framework_adapter.py
Lines changed: 0 additions & 13 deletions b/‎libraries/botbuilder-core/botbuilder/core/bot_framework_adapter.py
Lines changed: 0 additions & 13 deletions
diff --git a/‎libraries/botbuilder-core/botbuilder/core/configuration_service_client_credentials_factory.py
Lines changed: 0 additions & 19 deletions b/‎libraries/botbuilder-core/botbuilder/core/configuration_service_client_credentials_factory.py
Lines changed: 0 additions & 19 deletions
diff --git a/‎libraries/botbuilder-core/tests/test_bot_framework_adapter.py
Lines changed: 0 additions & 12 deletions b/‎libraries/botbuilder-core/tests/test_bot_framework_adapter.py
Lines changed: 0 additions & 12 deletions
diff --git a/‎libraries/botbuilder-integration-aiohttp/botbuilder/integration/aiohttp/bot_framework_http_adapter.py
Lines changed: 0 additions & 6 deletions b/‎libraries/botbuilder-integration-aiohttp/botbuilder/integration/aiohttp/bot_framework_http_adapter.py
Lines changed: 0 additions & 6 deletions
diff --git a/‎libraries/botbuilder-integration-aiohttp/botbuilder/integration/aiohttp/configuration_service_client_credential_factory.py
Lines changed: 34 additions & 4 deletions b/‎libraries/botbuilder-integration-aiohttp/botbuilder/integration/aiohttp/configuration_service_client_credential_factory.py
Lines changed: 34 additions & 4 deletions
diff --git a/‎libraries/botframework-connector/botframework/connector/auth/_bot_framework_client_impl.py
Lines changed: 1 addition & 4 deletions b/‎libraries/botframework-connector/botframework/connector/auth/_bot_framework_client_impl.py
Lines changed: 1 addition & 4 deletions
diff --git a/‎libraries/botframework-connector/botframework/connector/auth/_built_in_bot_framework_authentication.py
Lines changed: 1 addition & 1 deletion b/‎libraries/botframework-connector/botframework/connector/auth/_built_in_bot_framework_authentication.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎libraries/botframework-connector/botframework/connector/auth/_government_cloud_bot_framework_authentication.py
Lines changed: 1 addition & 1 deletion b/‎libraries/botframework-connector/botframework/connector/auth/_government_cloud_bot_framework_authentication.py
Lines changed: 1 addition & 1 deletion
@@ -48,3 +48,11 @@ ADAPTER = BotFrameworkAdapter(
     SETTINGS,
 )
 ```
+
+For SingleTenant type bots, the additional issuers must be added based on the tenant id:
+```python
+AUTH_CONFIG = AuthenticationConfiguration(
+    claims_validator=AllowedSkillsClaimsValidator(CONFIG).claims_validator,
+    tenant_id=the_tenant_id
+)
+```
@@ -12,7 +12,7 @@
 import requests
 import pytest
 
-SKIP = os.getenv("SlackChannel") == ''
+SKIP = os.getenv("SlackChannel") == ""
 
 
 class SlackClient(aiounittest.AsyncTestCase):
 
@@ -279,19 +279,6 @@ async def continue_conversation(
         context.turn_state[BotAdapter.BOT_CALLBACK_HANDLER_KEY] = callback
         context.turn_state[BotAdapter.BOT_OAUTH_SCOPE_KEY] = audience
 
-        # If we receive a valid app id in the incoming token claims, add the channel service URL to the
-        # trusted services list so we can send messages back.
-        # The service URL for skills is trusted because it is applied by the SkillHandler based on the original
-        # request received by the root bot
-        app_id_from_claims = JwtTokenValidation.get_app_id_from_claims(
-            claims_identity.claims
-        )
-        if app_id_from_claims:
-            if SkillValidation.is_skill_claim(
-                claims_identity.claims
-            ) or await self._credential_provider.is_valid_appid(app_id_from_claims):
-                AppCredentials.trust_service_url(reference.service_url)
-
         client = await self.create_connector_client(
             reference.service_url, claims_identity, audience
         )
 
@@ -621,14 +621,8 @@ async def callback(context: TurnContext):
             scope = context.turn_state[BotFrameworkAdapter.BOT_OAUTH_SCOPE_KEY]
             assert AuthenticationConstants.TO_CHANNEL_FROM_BOT_OAUTH_SCOPE == scope
 
-            # Ensure the serviceUrl was added to the trusted hosts
-            assert AppCredentials.is_trusted_service(channel_service_url)
-
         refs = ConversationReference(service_url=channel_service_url)
 
-        # Ensure the serviceUrl is NOT in the trusted hosts
-        assert not AppCredentials.is_trusted_service(channel_service_url)
-
         await adapter.continue_conversation(
             refs, callback, claims_identity=skills_identity
         )
@@ -694,14 +688,8 @@ async def callback(context: TurnContext):
             scope = context.turn_state[BotFrameworkAdapter.BOT_OAUTH_SCOPE_KEY]
             assert skill_2_app_id == scope
 
-            # Ensure the serviceUrl was added to the trusted hosts
-            assert AppCredentials.is_trusted_service(skill_2_service_url)
-
         refs = ConversationReference(service_url=skill_2_service_url)
 
-        # Ensure the serviceUrl is NOT in the trusted hosts
-        assert not AppCredentials.is_trusted_service(skill_2_service_url)
-
         await adapter.continue_conversation(
             refs, callback, claims_identity=skills_identity, audience=skill_2_app_id
         )
 
@@ -188,12 +188,6 @@ async def _http_authenticate_request(self, request: Request) -> bool:
                     )
                 )
 
-                # Add ServiceURL to the cache of trusted sites in order to allow token refreshing.
-                self._credentials.trust_service_url(
-                    claims_identity.claims.get(
-                        AuthenticationConstants.SERVICE_URL_CLAIM
-                    )
-                )
                 self.claims_identity = claims_identity
             return True
         except Exception as error:
 
@@ -11,8 +11,38 @@ class ConfigurationServiceClientCredentialFactory(
     PasswordServiceClientCredentialFactory
 ):
     def __init__(self, configuration: Any, *, logger: Logger = None) -> None:
-        super().__init__(
-            app_id=getattr(configuration, "APP_ID", None),
-            password=getattr(configuration, "APP_PASSWORD", None),
-            logger=logger,
+        app_type = (
+            configuration.APP_TYPE
+            if hasattr(configuration, "APP_TYPE")
+            else "MultiTenant"
         )
+        app_id = configuration.APP_ID if hasattr(configuration, "APP_ID") else None
+        app_password = (
+            configuration.APP_PASSWORD
+            if hasattr(configuration, "APP_PASSWORD")
+            else None
+        )
+        app_tenantid = None
+
+        if app_type == "UserAssignedMsi":
+            raise Exception("UserAssignedMsi APP_TYPE is not supported")
+
+        if app_type == "SingleTenant":
+            app_tenantid = (
+                configuration.APP_TENANTID
+                if hasattr(configuration, "APP_TENANTID")
+                else None
+            )
+
+            if not app_id:
+                raise Exception("Property 'APP_ID' is expected in configuration object")
+            if not app_password:
+                raise Exception(
+                    "Property 'APP_PASSWORD' is expected in configuration object"
+                )
+            if not app_tenantid:
+                raise Exception(
+                    "Property 'APP_TENANTID' is expected in configuration object"
+                )
+
+        super().__init__(app_id, app_password, app_tenantid, logger=logger)
@@ -48,10 +48,6 @@ async def post_activity(
         conversation_id: str,
         activity: Activity,
     ) -> InvokeResponse:
-        if not from_bot_id:
-            raise TypeError("from_bot_id")
-        if not to_bot_id:
-            raise TypeError("to_bot_id")
         if not to_url:
             raise TypeError("to_url")
         if not service_url:
@@ -100,6 +96,7 @@ async def post_activity(
 
         headers_dict = {
             "Content-type": "application/json; charset=utf-8",
+            "x-ms-conversation-id": conversation_id,
         }
         if token:
             headers_dict.update(
 
@@ -166,7 +166,7 @@ async def create_user_token_client(
 
         credentials = await self._credentials_factory.create_credentials(
             app_id,
-            audience=self._to_channel_from_bot_oauth_scope,
+            oauth_scope=self._to_channel_from_bot_oauth_scope,
             login_endpoint=self._login_endpoint,
             validate_authority=True,
         )
 
@@ -24,7 +24,7 @@ def __init__(
     ):
         super(_GovernmentCloudBotFrameworkAuthentication, self).__init__(
             GovernmentConstants.TO_CHANNEL_FROM_BOT_OAUTH_SCOPE,
-            GovernmentConstants.TO_CHANNEL_FROM_BOT_LOGIN_URL,
+            GovernmentConstants.TO_CHANNEL_FROM_BOT_LOGIN_URL_PREFIX,
             CallerIdConstants.us_gov_channel,
             GovernmentConstants.CHANNEL_SERVICE,
             GovernmentConstants.OAUTH_URL_GOV,
Original file line number	Diff line number	Diff line change
`@@ -188,12 +188,6 @@ async def _http_authenticate_request(self, request: Request) -> bool:`
`188`	`188`	`)`
`189`	`189`	`)`
`190`	`190`
`191`		`- # Add ServiceURL to the cache of trusted sites in order to allow token refreshing.`
`192`		`- self._credentials.trust_service_url(`
`193`		`- claims_identity.claims.get(`
`194`		`- AuthenticationConstants.SERVICE_URL_CLAIM`
`195`		`- )`
`196`		`- )`
`197`	`191`	`self.claims_identity = claims_identity`
`198`	`192`	`return True`
`199`	`193`	`except Exception as error:`
Original file line number	Diff line number	Diff line change
`@@ -166,7 +166,7 @@ async def create_user_token_client(`
`166`	`166`
`167`	`167`	`credentials = await self._credentials_factory.create_credentials(`
`168`	`168`	`app_id,`
`169`		`- audience=self._to_channel_from_bot_oauth_scope,`
	`169`	`+ oauth_scope=self._to_channel_from_bot_oauth_scope,`
`170`	`170`	`login_endpoint=self._login_endpoint,`
`171`	`171`	`validate_authority=True,`
`172`	`172`	`)`