microsoft · johnataylor · Feb 3, 2021 · Feb 3, 2021 · Feb 3, 2021 · Feb 3, 2021
diff --git a/libraries/Microsoft.Bot.Builder/BotFrameworkAdapter.cs b/libraries/Microsoft.Bot.Builder/BotFrameworkAdapter.cs
@@ -354,19 +354,6 @@ public override async Task ContinueConversationAsync(ClaimsIdentity claimsIdenti
                 // Add audience to TurnContext.TurnState
                 context.TurnState.Add(OAuthScopeKey, audience);
 
-                // If we receive a valid app id in the incoming token claims, add the 
-                // channel service URL to the trusted services list so we can send messages back.
-                // the service URL for skills is trusted because it is applied by the SkillHandler based on the original request
-                // received by the root bot
-                var appIdFromClaims = JwtTokenValidation.GetAppIdFromClaims(claimsIdentity.Claims);
-                if (!string.IsNullOrEmpty(appIdFromClaims))
-                {
-                    if (SkillValidation.IsSkillClaim(claimsIdentity.Claims) || await CredentialProvider.IsValidAppIdAsync(appIdFromClaims).ConfigureAwait(false))
-                    {
-                        AppCredentials.TrustServiceUrl(reference.ServiceUrl);
-                    }
-                }
-
                 using (var connectorClient = await CreateConnectorClientAsync(reference.ServiceUrl, claimsIdentity, audience).ConfigureAwait(false))
                 {
                     // Make the connector client available in turn state

diff --git a/libraries/Microsoft.Bot.Connector/Authentication/AppCredentials.cs b/libraries/Microsoft.Bot.Connector/Authentication/AppCredentials.cs
@@ -146,6 +146,7 @@ public string ChannelAuthTenant
         /// </summary>
         /// <param name="serviceUrl">The service URL.</param>
         /// <remarks>If expiration time is not provided, the expiration time will DateTime.UtcNow.AddDays(1).</remarks>
+        [Obsolete("TrustServiceUrl is not a required part of the security model.")]
 #pragma warning disable CA1801 // Review unused parameters
         public static void TrustServiceUrl(string serviceUrl)
 #pragma warning restore CA1801 // Review unused parameters
@@ -157,6 +158,7 @@ public static void TrustServiceUrl(string serviceUrl)
         /// </summary>
         /// <param name="serviceUrl">The service URL.</param>
         /// <param name="expirationTime">The expiration time after which this service url is not trusted anymore.</param>
+        [Obsolete("TrustServiceUrl is not a required part of the security model.")]
 #pragma warning disable CA1801 // Review unused parameters
         public static void TrustServiceUrl(string serviceUrl, DateTime expirationTime)
 #pragma warning restore CA1801 // Review unused parameters
@@ -168,6 +170,7 @@ public static void TrustServiceUrl(string serviceUrl, DateTime expirationTime)
         /// </summary>
         /// <param name="serviceUrl">The service url.</param>
         /// <returns>True if the host of the service url is trusted; False otherwise.</returns>
+        [Obsolete("IsTrustedServiceUrl is not a required part of the security model.")]
 #pragma warning disable CA1801 // Review unused parameters
         public static bool IsTrustedServiceUrl(string serviceUrl)
 #pragma warning restore CA1801 // Review unused parameters

diff --git a/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenValidation.cs b/libraries/Microsoft.Bot.Connector/Authentication/JwtTokenValidation.cs
@@ -83,7 +83,6 @@ public static async Task<ClaimsIdentity> AuthenticateRequest(IActivity activity,
 
             // Validate the header and extract claims.
             var claimsIdentity = await ValidateAuthHeader(authHeader, credentials, provider, activity.ChannelId, authConfig, activity.ServiceUrl, httpClient ?? _httpClient).ConfigureAwait(false);
-            AppCredentials.TrustServiceUrl(activity.ServiceUrl);
             return claimsIdentity;
         }
 

diff --git a/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs b/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs
@@ -132,7 +132,6 @@ private async Task<ClaimsIdentity> JwtTokenValidation_AuthenticateRequestAsync(A
 
             // Validate the header and extract claims.
             var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, credentialFactory, activity.ChannelId, authConfiguration, activity.ServiceUrl, httpClient, cancellationToken).ConfigureAwait(false);
-            AppCredentials.TrustServiceUrl(activity.ServiceUrl);
             return claimsIdentity;
         }
 

diff --git a/libraries/Microsoft.Bot.Connector/ConversationsEx.cs b/libraries/Microsoft.Bot.Connector/ConversationsEx.cs
@@ -3,7 +3,6 @@
 
 using System.Threading;
 using System.Threading.Tasks;
-using Microsoft.Bot.Connector.Authentication;
 using Microsoft.Bot.Schema;
 using Microsoft.Rest;
 
@@ -39,13 +38,7 @@ public static ConversationResourceResponse CreateDirectConversation(this IConver
         public static async Task<ConversationResourceResponse> CreateDirectConversationAsync(this IConversations operations, ChannelAccount bot, ChannelAccount user, Activity activity = null, CancellationToken cancellationToken = default(CancellationToken))
         {
             var result = await operations.CreateConversationWithHttpMessagesAsync(GetDirectParameters(bot, user, activity), null, cancellationToken).ConfigureAwait(false);
-            var res = result.Body;
-            if (res.ServiceUrl != null)
-            {
-                MicrosoftAppCredentials.TrustServiceUrl(res.ServiceUrl);
-            }
-
-            return res;
+            return result.Body;
         }
 
         /// <summary>
@@ -73,13 +66,7 @@ public static ConversationResourceResponse CreateDirectConversation(this IConver
         public static async Task<ConversationResourceResponse> CreateDirectConversationAsync(this IConversations operations, string botAddress, string userAddress, Activity activity = null, CancellationToken cancellationToken = default(CancellationToken))
         {
             var result = await operations.CreateConversationWithHttpMessagesAsync(GetDirectParameters(botAddress, userAddress, activity), null, cancellationToken).ConfigureAwait(false);
-            var res = result.Body;
-            if (res.ServiceUrl != null)
-            {
-                MicrosoftAppCredentials.TrustServiceUrl(res.ServiceUrl);
-            }
-
-            return res;
+            return result.Body;
         }
 
         /// <summary>

diff --git a/...ries/integration/Microsoft.Bot.Builder.Integration.AspNet.Core/BotFrameworkHttpAdapter.cs b/...ries/integration/Microsoft.Bot.Builder.Integration.AspNet.Core/BotFrameworkHttpAdapter.cs
@@ -290,8 +290,6 @@ private async Task<ClaimsIdentity> AuthenticateRequestAsync(HttpRequest httpRequ
                         return null;
                     }
 
-                    // Add ServiceURL to the cache of trusted sites in order to allow token refreshing.
-                    AppCredentials.TrustServiceUrl(claimsIdentity.FindFirst(AuthenticationConstants.ServiceUrlClaim).Value);
                     ClaimsIdentity = claimsIdentity;
                     return claimsIdentity;
                 }

diff --git a/...es/integration/Microsoft.Bot.Builder.Integration.AspNet.WebApi/BotFrameworkHttpAdapter.cs b/...es/integration/Microsoft.Bot.Builder.Integration.AspNet.WebApi/BotFrameworkHttpAdapter.cs
@@ -201,8 +201,6 @@ private async Task<bool> AuthenticateRequestAsync(HttpRequestMessage httpRequest
                         return false;
                     }
 
-                    // Add ServiceURL to the cache of trusted sites in order to allow token refreshing.
-                    AppCredentials.TrustServiceUrl(claimsIdentity.FindFirst(AuthenticationConstants.ServiceUrlClaim).Value);
                     ClaimsIdentity = claimsIdentity;
                 }
 

diff --git a/tests/Microsoft.Bot.Connector.Tests/Authentication/JwtTokenValidationTests.cs b/tests/Microsoft.Bot.Connector.Tests/Authentication/JwtTokenValidationTests.cs
@@ -90,25 +90,6 @@ await Assert.ThrowsAsync<UnauthorizedAccessException>(
                 async () => await JwtTokenValidation.ValidateAuthHeader(header, credentials, new SimpleChannelProvider(), string.Empty, null, emptyClient));
         }
 
-        /// <summary>
-        /// Tests with a valid Token and service url; and ensures that Service url is added to Trusted service url list.
-        /// </summary>
-        [Fact]
-        public async void Channel_MsaHeader_Valid_ServiceUrlShouldBeTrusted()
-        {
-            string header = $"Bearer {await new MicrosoftAppCredentials("2cd87869-38a0-4182-9251-d056e8f0ac24", "2.30Vs3VQLKt974F").GetTokenAsync()}";
-            var credentials = new SimpleCredentialProvider("2cd87869-38a0-4182-9251-d056e8f0ac24", string.Empty);
-
-            await JwtTokenValidation.AuthenticateRequest(
-                new Activity { ServiceUrl = "https://smba.trafficmanager.net/amer-client-ss.msg/" },
-                header,
-                credentials,
-                new SimpleChannelProvider(),
-                emptyClient);
-
-            Assert.True(AppCredentials.IsTrustedServiceUrl("https://smba.trafficmanager.net/amer-client-ss.msg/"));
-        }
-
         /// <summary>
         /// Tests with no authentication header and makes sure the service URL is not added to the trusted list.
         /// </summary>