Throw UnauthorizedAccessException if IsSkillClaim and ClaimsValidator is null. (#4570) (#4579)

EricDahlvang · web-flow · commit 29bb50c6fe4a · 2020-09-03T12:31:09.000-07:00
diff --git a/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenValidation.cs b/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenValidation.cs
@@ -183,7 +183,7 @@ public static string GetAppIdFromClaims(IEnumerable<Claim> claims)
         /// <param name="authConfig">An <see cref="AuthenticationConfiguration"/> instance.</param>
         /// <param name="claims">The list of claims to validate.</param>
         /// <returns>A <see cref="Task"/> representing the asynchronous operation.</returns>
-        /// <exception cref="UnauthorizedAccessException">If the validation returns false.</exception>
+        /// <exception cref="UnauthorizedAccessException">If the validation returns false, or ClaimsValidator is null and this is a skill claim.</exception>
         internal static async Task ValidateClaimsAsync(AuthenticationConfiguration authConfig, IEnumerable<Claim> claims)
         {
             if (authConfig.ClaimsValidator != null)
@@ -192,6 +192,10 @@ internal static async Task ValidateClaimsAsync(AuthenticationConfiguration authC
                 var claimsList = claims as IList<Claim> ?? claims.ToList();
                 await authConfig.ClaimsValidator.ValidateClaimsAsync(claimsList).ConfigureAwait(false);
             }
+            else if (SkillValidation.IsSkillClaim(claims))
+            {
+                throw new UnauthorizedAccessException("ClaimsValidator is required for validation of Skill Host calls.");
+            }
         }
 
         /// <summary>

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,7 @@ public static string GetAppIdFromClaims(IEnumerable<Claim> claims)`
`183`	`183`	`/// <param name="authConfig">An <see cref="AuthenticationConfiguration"/> instance.</param>`
`184`	`184`	`/// <param name="claims">The list of claims to validate.</param>`
`185`	`185`	`/// <returns>A <see cref="Task"/> representing the asynchronous operation.</returns>`
`186`		`- /// <exception cref="UnauthorizedAccessException">If the validation returns false.</exception>`
	`186`	`+ /// <exception cref="UnauthorizedAccessException">If the validation returns false, or ClaimsValidator is null and this is a skill claim.</exception>`
`187`	`187`	`internal static async Task ValidateClaimsAsync(AuthenticationConfiguration authConfig, IEnumerable<Claim> claims)`
`188`	`188`	`{`
`189`	`189`	`if (authConfig.ClaimsValidator != null)`
`@@ -192,6 +192,10 @@ internal static async Task ValidateClaimsAsync(AuthenticationConfiguration authC`
`192`	`192`	`var claimsList = claims as IList<Claim> ?? claims.ToList();`
`193`	`193`	`await authConfig.ClaimsValidator.ValidateClaimsAsync(claimsList).ConfigureAwait(false);`
`194`	`194`	`}`
	`195`	`+ else if (SkillValidation.IsSkillClaim(claims))`
	`196`	`+ {`
	`197`	`+ throw new UnauthorizedAccessException("ClaimsValidator is required for validation of Skill Host calls.");`
	`198`	`+ }`
`195`	`199`	`}`
`196`	`200`
`197`	`201`	`/// <summary>`