You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/rest-api/bot-framework-rest-connector-authentication.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -187,10 +187,7 @@ GET https://login.botframework.com/v1/.well-known/keys
187
187
188
188
The response body specifies the document in the [JWK format](https://tools.ietf.org/html/rfc7517) but also includes an additional property for each key: `endorsements`. The list of keys is relatively stable and may be cached for long periods of time (by default, 5 days within the Bot Framework SDK).
189
189
190
-
The `endorsements` property within each key contains one or more endorsement strings which you can use to verify that the channel ID specified in the `channelId` property within the [Activity][Activity] object of the incoming request is authentic. The list of channel IDs that require endorsements is configurable within each bot. By default, it will be the list of all published channel IDs, although bot developers may override selected channel ID values either way. If endorsement for a channel ID is required:
191
-
192
-
- You should require that any [Activity][Activity] object sent to your bot with that channel ID is accompanied by a JWT token that is signed with an endorsement for that channel.
193
-
- If the endorsement is not present, your bot should reject the request by returning an **HTTP 403 (Forbidden)** status code.
190
+
The `endorsements` property within each key contains one or more endorsement strings which you can use to verify that the channel ID specified in the `channelId` property within the [Activity][Activity] object of the incoming request is authentic. The list of channel IDs that require endorsements is configurable within each bot. By default, it will be the list of all published channel IDs, although bot developers may override selected channel ID values either way.
194
191
195
192
### Step 4: Verify the JWT token
196
193
@@ -207,7 +204,10 @@ When parsing the token, you must configure the parsing library or write your own
207
204
6. The token has a valid cryptographic signature, with a key listed in the OpenID keys document that was retrieved in [Step 3](#connector-to-bot-step-3), using the signing algorithm that is specified in the `id_token_signing_alg_values_supported` property of the Open ID Metadata document that was retrieved in [Step 2](#openid-metadata-document).
208
205
7. The token contains a "serviceUrl" claim with value that matches the `servieUrl` property at the root of the [Activity][Activity] object of the incoming request.
209
206
210
-
If the token does not meet all of these requirements, your bot should reject the request by returning an **HTTP 403 (Forbidden)** status code.
207
+
If endorsement for a channel ID is required:
208
+
209
+
- You should require that any [Activity][Activity] object sent to your bot with that channel ID is accompanied by a JWT token that is signed with an endorsement for that channel.
210
+
- If the endorsement is not present, your bot should reject the request by returning an **HTTP 403 (Forbidden)** status code.
211
211
212
212
> [!IMPORTANT]
213
213
> All of these requirements are important, particularly requirements 4 and 6.
0 commit comments