Doing JWT by hand for Microsoft Teams Bot / understanding how to use Elixir JWT libraries for this scenario

CharlesO · August 16, 2022, 4:45pm

Hi.

I’m trying to handle Microsoft Teams Bot Authentication by hand, as it seems less confusing than trying to adapt an existing `JWT library, (it’s also a good way to understand JWTs in general).

I use the Microsoft Bot Emulator - and so far so good until I had to create/ validate JWTs.

The main issue is, that I don’t know how to derive a secret that is used to do the HMAC signature.

This is an actual Authorization header:

authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.eyJhdWQiOiI2YjMyNmY1Mi1lY2NhLTQ4OTQtYWJmYi00ZWFhYmMxYTM0ZTUiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZDZkNDk0MjAtZjM5Yi00ZGY3LWExZGMtZDU5YTkzNTg3MWRiL3YyLjAiLCJpYXQiOjE2NjAwMTQzMTUsIm5iZiI6MTY2MDAxNDMxNSwiZXhwIjoxNjYwMTAxMDE1LCJhaW8iOiJFMlpnWUlpeDJSRXFWL3VLL3o5WEJOc3k0MmVtQUE9PSIsImF6cCI6IjZiMzI2ZjUyLWVjY2EtNDg5NC1hYmZiLTRlYWFiYzFhMzRlNSIsImF6cGFjciI6IjEiLCJyaCI6IjAuQVc0QUlKVFUxcHZ6OTAyaDNOV2FrMWh4MjFKdk1tdks3SlJJcV90T3Fyd2FOT1Z1QUFBLiIsInRpZCI6ImQ2ZDQ5NDIwLWYzOWItNGRmNy1hMWRjLWQ1OWE5MzU4NzFkYiIsInV0aSI6IjVJdDNJMFFZVVVXVVVRN2hqZnVTQUEiLCJ2ZXIiOiIyLjAifQ.u-AQYlMlIIZaOe-e-jLlyo94NIH0UITHZELl7F0MRG1WAFO6SKabMrdY0jh82ZsdwS1hDhT8nwOyRKLu4FKjmNwndZFM-AoKbTU48aevSO4Xl3ktKHs7TDGNy7qDr1cAQl0IiBivkIbq6_KZTF5Qhs4Q_RIQdRJdqYDCp691aH3i4rxy-xU_EpRJlhElxG8oyplACitoyM8EZITmr0Zr2v3R0EffypV1PeGTwmotB0kYclzkr14szMh5cAmwsuxxQT4g18_340VAg_P68Fne-_XfXE9SyDgR_s5AqZWewm0Ef54usoMVjQI44JWi2r98IlHeajp_Lf4dUWGN9PLzSw

This is the relevant key for that header, taken from here:

https://login.microsoftonline.com/d6d49420-f39b-4df7-a1dc-d59a935871db/discovery/v2.0/keys

    {
      "kty": "RSA",
      "use": "sig",
      "kid": "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI",
      "x5t": "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI",
      "n": "wEMMJtj9yMQd8QS6Vnm538K5GN1Pr_I31_LUl9-OCYu-9_DrDvPGjViQK9kOiCjBfyqoAL-pBecn9-XXaS-C4xZTn1ZRw--GELabuo0u-U6r3TKj42xFDEP-_R5RpOGshoC95lrKiU5teuhn4fBM3XfR2GB0dVMcpzN3h4-0OMvBK__Zr9tkQCU_KzXTbNCjyA7ybtbr83NF9k3KjpTyOyY2S-qvFbY-AoqMhL9Rp8r2HBj_vrsr6RX6GeiSxxjbEzDFA2VIcSKbSHvbNBEeW2KjLXkz6QG2LjKz5XsYLp6kv_-k9lPQBy_V7Ci4ZkhAN-6j1S1Kcq58aLbp0wDNKQ",
      "e": "AQAB",
      "x5c": [
        "MIIDBTCCAe2gAwIBAgIQH4FlYNA+UJlF0G3vy9ZrhTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDUyMjIwMDI0OVoXDTI3MDUyMjIwMDI0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBDDCbY/cjEHfEEulZ5ud/CuRjdT6/yN9fy1JffjgmLvvfw6w7zxo1YkCvZDogowX8qqAC/qQXnJ/fl12kvguMWU59WUcPvhhC2m7qNLvlOq90yo+NsRQxD/v0eUaThrIaAveZayolObXroZ+HwTN130dhgdHVTHKczd4ePtDjLwSv/2a/bZEAlPys102zQo8gO8m7W6/NzRfZNyo6U8jsmNkvqrxW2PgKKjIS/UafK9hwY/767K+kV+hnokscY2xMwxQNlSHEim0h72zQRHltioy15M+kBti4ys+V7GC6epL//pPZT0Acv1ewouGZIQDfuo9UtSnKufGi26dMAzSkCAwEAAaMhMB8wHQYDVR0OBBYEFLFr+sjUQ+IdzGh3eaDkzue2qkTZMA0GCSqGSIb3DQEBCwUAA4IBAQCiVN2A6ErzBinGYafC7vFv5u1QD6nbvY32A8KycJwKWy1sa83CbLFbFi92SGkKyPZqMzVyQcF5aaRZpkPGqjhzM+iEfsR2RIf+/noZBlR/esINfBhk4oBruj7SY+kPjYzV03NeY0cfO4JEf6kXpCqRCgp9VDRM44GD8mUV/ooN+XZVFIWs5Gai8FGZX9H8ZSgkIKbxMbVOhisMqNhhp5U3fT7VPsl94rilJ8gKXP/KBbpldrfmOAdVDgUC+MHw3sSXSt+VnorB4DU4mUQLcMriQmbXdQc8d1HUZYZEkcKaSgbygHLtByOJF44XUsBotsTfZ4i/zVjnYcjgUQmwmAWD"
      ],
      "issuer": "https://login.microsoftonline.com/d6d49420-f39b-4df7-a1dc-d59a935871db/v2.0"
    }

I don’t know how to get a usable secret to perform the signature part of the JWT process, or how to apply it to any of the Elixir JWT libraries.

Any direction is much appreciated. Thanks!

thomas.fortes · August 16, 2022, 6:15pm

It isn’t using HMAC, it is using RSA, to verify it using Joken you can do something like:

bearer = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.eyJhdWQiOiI2YjMyNmY1Mi1lY2NhLTQ4OTQtYWJmYi00ZWFhYmMxYTM0ZTUiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZDZkNDk0MjAtZjM5Yi00ZGY3LWExZGMtZDU5YTkzNTg3MWRiL3YyLjAiLCJpYXQiOjE2NjAwMTQzMTUsIm5iZiI6MTY2MDAxNDMxNSwiZXhwIjoxNjYwMTAxMDE1LCJhaW8iOiJFMlpnWUlpeDJSRXFWL3VLL3o5WEJOc3k0MmVtQUE9PSIsImF6cCI6IjZiMzI2ZjUyLWVjY2EtNDg5NC1hYmZiLTRlYWFiYzFhMzRlNSIsImF6cGFjciI6IjEiLCJyaCI6IjAuQVc0QUlKVFUxcHZ6OTAyaDNOV2FrMWh4MjFKdk1tdks3SlJJcV90T3Fyd2FOT1Z1QUFBLiIsInRpZCI6ImQ2ZDQ5NDIwLWYzOWItNGRmNy1hMWRjLWQ1OWE5MzU4NzFkYiIsInV0aSI6IjVJdDNJMFFZVVVXVVVRN2hqZnVTQUEiLCJ2ZXIiOiIyLjAifQ.u-AQYlMlIIZaOe-e-jLlyo94NIH0UITHZELl7F0MRG1WAFO6SKabMrdY0jh82ZsdwS1hDhT8nwOyRKLu4FKjmNwndZFM-AoKbTU48aevSO4Xl3ktKHs7TDGNy7qDr1cAQl0IiBivkIbq6_KZTF5Qhs4Q_RIQdRJdqYDCp691aH3i4rxy-xU_EpRJlhElxG8oyplACitoyM8EZITmr0Zr2v3R0EffypV1PeGTwmotB0kYclzkr14szMh5cAmwsuxxQT4g18_340VAg_P68Fne-_XfXE9SyDgR_s5AqZWewm0Ef54usoMVjQI44JWi2r98IlHeajp_Lf4dUWGN9PLzSw"

signer_json = ~s(
{
    "kty": "RSA",
    "use": "sig",
    "kid": "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI",
    "x5t": "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI",
    "n": "wEMMJtj9yMQd8QS6Vnm538K5GN1Pr_I31_LUl9-OCYu-9_DrDvPGjViQK9kOiCjBfyqoAL-pBecn9-XXaS-C4xZTn1ZRw--GELabuo0u-U6r3TKj42xFDEP-_R5RpOGshoC95lrKiU5teuhn4fBM3XfR2GB0dVMcpzN3h4-0OMvBK__Zr9tkQCU_KzXTbNCjyA7ybtbr83NF9k3KjpTyOyY2S-qvFbY-AoqMhL9Rp8r2HBj_vrsr6RX6GeiSxxjbEzDFA2VIcSKbSHvbNBEeW2KjLXkz6QG2LjKz5XsYLp6kv_-k9lPQBy_V7Ci4ZkhAN-6j1S1Kcq58aLbp0wDNKQ",
    "e": "AQAB",
    "x5c": [
        "MIIDBTCCAe2gAwIBAgIQH4FlYNA+UJlF0G3vy9ZrhTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDUyMjIwMDI0OVoXDTI3MDUyMjIwMDI0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBDDCbY/cjEHfEEulZ5ud/CuRjdT6/yN9fy1JffjgmLvvfw6w7zxo1YkCvZDogowX8qqAC/qQXnJ/fl12kvguMWU59WUcPvhhC2m7qNLvlOq90yo+NsRQxD/v0eUaThrIaAveZayolObXroZ+HwTN130dhgdHVTHKczd4ePtDjLwSv/2a/bZEAlPys102zQo8gO8m7W6/NzRfZNyo6U8jsmNkvqrxW2PgKKjIS/UafK9hwY/767K+kV+hnokscY2xMwxQNlSHEim0h72zQRHltioy15M+kBti4ys+V7GC6epL//pPZT0Acv1ewouGZIQDfuo9UtSnKufGi26dMAzSkCAwEAAaMhMB8wHQYDVR0OBBYEFLFr+sjUQ+IdzGh3eaDkzue2qkTZMA0GCSqGSIb3DQEBCwUAA4IBAQCiVN2A6ErzBinGYafC7vFv5u1QD6nbvY32A8KycJwKWy1sa83CbLFbFi92SGkKyPZqMzVyQcF5aaRZpkPGqjhzM+iEfsR2RIf+/noZBlR/esINfBhk4oBruj7SY+kPjYzV03NeY0cfO4JEf6kXpCqRCgp9VDRM44GD8mUV/ooN+XZVFIWs5Gai8FGZX9H8ZSgkIKbxMbVOhisMqNhhp5U3fT7VPsl94rilJ8gKXP/KBbpldrfmOAdVDgUC+MHw3sSXSt+VnorB4DU4mUQLcMriQmbXdQc8d1HUZYZEkcKaSgbygHLtByOJF44XUsBotsTfZ4i/zVjnYcjgUQmwmAWD"
    ],
    "issuer": "https://login.microsoftonline.com/d6d49420-f39b-4df7-a1dc-d59a935871db/v2.0"
}
) 

signer_key = signer_json |> Jason.decode!()
signer = Joken.Signer.create("RS256", signer_key)

# {:ok, payload} for success, {:error, :signature_error} for failure
token = Joken.verify(bearer, signer)

CharlesO · August 16, 2022, 8:28pm

Thanks so much for this.

The verify part works okay.

[aa, bb, _] = String.split(bearer , ".")

   a = Base.decode64!(aa, padding: false) |> Jason.decode!(keys: :atoms)
   b = Base.decode64!(bb, padding: false) |> Jason.decode!(keys: :atoms)

# %{alg: "RS256", kid: "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI", typ: "JWT"}

# %{
#   aio: "E2ZgYIix2REqV/uK/z9XBNsy42emAA==",
#   aud: "6b326f52-ecca-4894-abfb-4eaabc1a34e5",
#   azp: "6b326f52-ecca-4894-abfb-4eaabc1a34e5",
#   azpacr: "1",
#   exp: 1_660_101_015,
#   iat: 1_660_014_315,
#   iss: "https://login.microsoftonline.com/d6d49420-f39b-4df7-a1dc-d59a935871db/v2.0",
#   nbf: 1_660_014_315,
#   rh: "0.AW4AIJTU1pvz902h3NWak1hx21JvMmvK7JRIq_tOqrwaNOVuAAA.",
#   tid: "d6d49420-f39b-4df7-a1dc-d59a935871db",
#   uti: "5It3I0QYUUWUUQ7hjfuSAA",
#   ver: "2.0"
# }

s = %{
  "e" => "AQAB",
  "issuer" => "https://login.microsoftonline.com/d6d49420-f39b-4df7-a1dc-d59a935871db/v2.0",
  "kid" => "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI",
  "kty" => "RSA",
  "n" => "wEMMJtj9yMQd8QS6Vnm538K5GN1Pr_I31_LUl9-OCYu-9_DrDvPGjViQK9kOiCjBfyqoAL-pBecn9-XXaS-C4xZTn1ZRw--GELabuo0u-U6r3TKj42xFDEP-_R5RpOGshoC95lrKiU5teuhn4fBM3XfR2GB0dVMcpzN3h4-0OMvBK__Zr9tkQCU_KzXTbNCjyA7ybtbr83NF9k3KjpTyOyY2S-qvFbY-AoqMhL9Rp8r2HBj_vrsr6RX6GeiSxxjbEzDFA2VIcSKbSHvbNBEeW2KjLXkz6QG2LjKz5XsYLp6kv_-k9lPQBy_V7Ci4ZkhAN-6j1S1Kcq58aLbp0wDNKQ",
  "use" => "sig",
  "x5c" => ["MIIDBTCCAe2gAwIBAgIQH4FlYNA+UJlF0G3vy9ZrhTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDUyMjIwMDI0OVoXDTI3MDUyMjIwMDI0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBDDCbY/cjEHfEEulZ5ud/CuRjdT6/yN9fy1JffjgmLvvfw6w7zxo1YkCvZDogowX8qqAC/qQXnJ/fl12kvguMWU59WUcPvhhC2m7qNLvlOq90yo+NsRQxD/v0eUaThrIaAveZayolObXroZ+HwTN130dhgdHVTHKczd4ePtDjLwSv/2a/bZEAlPys102zQo8gO8m7W6/NzRfZNyo6U8jsmNkvqrxW2PgKKjIS/UafK9hwY/767K+kV+hnokscY2xMwxQNlSHEim0h72zQRHltioy15M+kBti4ys+V7GC6epL//pPZT0Acv1ewouGZIQDfuo9UtSnKufGi26dMAzSkCAwEAAaMhMB8wHQYDVR0OBBYEFLFr+sjUQ+IdzGh3eaDkzue2qkTZMA0GCSqGSIb3DQEBCwUAA4IBAQCiVN2A6ErzBinGYafC7vFv5u1QD6nbvY32A8KycJwKWy1sa83CbLFbFi92SGkKyPZqMzVyQcF5aaRZpkPGqjhzM+iEfsR2RIf+/noZBlR/esINfBhk4oBruj7SY+kPjYzV03NeY0cfO4JEf6kXpCqRCgp9VDRM44GD8mUV/ooN+XZVFIWs5Gai8FGZX9H8ZSgkIKbxMbVOhisMqNhhp5U3fT7VPsl94rilJ8gKXP/KBbpldrfmOAdVDgUC+MHw3sSXSt+VnorB4DU4mUQLcMriQmbXdQc8d1HUZYZEkcKaSgbygHLtByOJF44XUsBotsTfZ4i/zVjnYcjgUQmwmAWD"],
  "x5t" => "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI"
}

signer = Joken.Signer.create("RS256", s)
log(signer)

%Joken.Signer{
  alg: "RS256",
  jwk: %JOSE.JWK{
    fields: %{
      "issuer" => "https://login.microsoftonline.com/d6d49420-f39b-4df7-a1dc-d59a935871db/v2.0",
      "kid" => "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI",
      "use" => "sig",
      "x5c" => ["MIIDBTCCAe2gAwIBAgIQH4FlYNA+UJlF0G3vy9ZrhTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDUyMjIwMDI0OVoXDTI3MDUyMjIwMDI0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBDDCbY/cjEHfEEulZ5ud/CuRjdT6/yN9fy1JffjgmLvvfw6w7zxo1YkCvZDogowX8qqAC/qQXnJ/fl12kvguMWU59WUcPvhhC2m7qNLvlOq90yo+NsRQxD/v0eUaThrIaAveZayolObXroZ+HwTN130dhgdHVTHKczd4ePtDjLwSv/2a/bZEAlPys102zQo8gO8m7W6/NzRfZNyo6U8jsmNkvqrxW2PgKKjIS/UafK9hwY/767K+kV+hnokscY2xMwxQNlSHEim0h72zQRHltioy15M+kBti4ys+V7GC6epL//pPZT0Acv1ewouGZIQDfuo9UtSnKufGi26dMAzSkCAwEAAaMhMB8wHQYDVR0OBBYEFLFr+sjUQ+IdzGh3eaDkzue2qkTZMA0GCSqGSIb3DQEBCwUAA4IBAQCiVN2A6ErzBinGYafC7vFv5u1QD6nbvY32A8KycJwKWy1sa83CbLFbFi92SGkKyPZqMzVyQcF5aaRZpkPGqjhzM+iEfsR2RIf+/noZBlR/esINfBhk4oBruj7SY+kPjYzV03NeY0cfO4JEf6kXpCqRCgp9VDRM44GD8mUV/ooN+XZVFIWs5Gai8FGZX9H8ZSgkIKbxMbVOhisMqNhhp5U3fT7VPsl94rilJ8gKXP/KBbpldrfmOAdVDgUC+MHw3sSXSt+VnorB4DU4mUQLcMriQmbXdQc8d1HUZYZEkcKaSgbygHLtByOJF44XUsBotsTfZ4i/zVjnYcjgUQmwmAWD"],
      "x5t" => "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI"
    },
    keys: :undefined,
    kty: {:jose_jwk_kty_rsa, {:RSAPublicKey, 24270816892089731719543783751432048815491545991257707613897766129285086092017663113913065374578252866292844529129303576012291981496377741717415683430954480719297040237552883183880720525825059504957853986049056158452751101633284726834183143745634822061761330491404604872173147765504606958311929588316683430193995492355659914947719650469297035699306817588668110003001642212415645738806065451691699269723426112951520848277600352153453283413356059207174622264137605364529710378358949775695884543447084486374661976470988089538432223651073995367128692155111525981268505073899618934526964112047508332751054877035214512639273, 65537}}
  },
  jws: %JOSE.JWS{alg: {:jose_jws_alg_rsa_pkcs1_v1_5, :RS256}, b64: :undefined, fields: %{"typ" => "JWT"}}
}

I’m however stuck here - I am unable to sign the same payload above using the same signer

Joken.Signer.sign(b, signer)

** (FunctionClauseError) no function clause matching in :jose_jwk_kty_rsa.sign/3

    The following arguments were given to :jose_jwk_kty_rsa.sign/3:

        # 1
        "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhaW8iOiJFMlpnWUlpeDJSRXFWL3VLL3o5WEJOc3k0MmVtQUE9PSIsImF1ZCI6IjZiMzI2ZjUyLWVjY2EtNDg5NC1hYmZiLTRlYWFiYzFhMzRlNSIsImF6cCI6IjZiMzI2ZjUyLWVjY2EtNDg5NC1hYmZiLTRlYWFiYzFhMzRlNSIsImF6cGFjciI6IjEiLCJleHAiOjE2NjAxMDEwMTUsImlhdCI6MTY2MDAxNDMxNSwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2Q2ZDQ5NDIwLWYzOWItNGRmNy1hMWRjLWQ1OWE5MzU4NzFkYi92Mi4wIiwibmJmIjoxNjYwMDE0MzE1LCJyaCI6IjAuQVc0QUlKVFUxcHZ6OTAyaDNOV2FrMWh4MjFKdk1tdks3SlJJcV90T3Fyd2FOT1Z1QUFBLiIsInRpZCI6ImQ2ZDQ5NDIwLWYzOWItNGRmNy1hMWRjLWQ1OWE5MzU4NzFkYiIsInV0aSI6IjVJdDNJMFFZVVVXVVVRN2hqZnVTQUEiLCJ2ZXIiOiIyLjAifQ"

        # 2
        :RS256

        # 3
        {:RSAPublicKey, 24270816892089731719543783751432048815491545991257707613897766129285086092017663113913065374578252866292844529129303576012291981496377741717415683430954480719297040237552883183880720525825059504957853986049056158452751101633284726834183143745634822061761330491404604872173147765504606958311929588316683430193995492355659914947719650469297035699306817588668110003001642212415645738806065451691699269723426112951520848277600352153453283413356059207174622264137605364529710378358949775695884543447084486374661976470988089538432223651073995367128692155111525981268505073899618934526964112047508332751054877035214512639273, 65537}

    (jose 1.11.2) src/jwk/jose_jwk_kty_rsa.erl:202: :jose_jwk_kty_rsa.sign/3
    (jose 1.11.2) src/jws/jose_jws.erl:311: :jose_jws.sign/4
    (jose 1.11.2) src/jwt/jose_jwt.erl:173: :jose_jwt.sign/3
    (joken 2.5.0) lib/joken/signer.ex:128: Joken.Signer.sign/2

al2o3cr · August 16, 2022, 9:33pm

The key material supplied (in the "x5c" key of signer_json) only includes the public key; you can’t sign things with it, only verify that a request from Microsoft’s servers is genuine.

I don’t see any requirement to sign outgoing data in the linked documentation. Requests to Discord fetch an already-signed JWT from Azure AD and include it in Authorization headers, while requests from Discord include an already-signed JWT as well.

CharlesO · August 16, 2022, 11:09pm

Oh, I see, we just return this pre-signed header for live implementations.

Using the Microsoft Emulator BOT, we need to create a valid signed header, or else we are unable to exchange messages… unless I’m also getting that wrong too.

CharlesO · August 16, 2022, 11:11pm

Their documentation mentions this:

Step 3: Get the list of

valid signing keys

One would imagine these keys may be used to sign messages when going from BOT to Emulator.

thomas.fortes · August 17, 2022, 2:55am

Didn’t read the entire documentation, but it seems that in production you will fetch the JWT token from Azure AD and in the emulator the bot emulator will send the token in the Authorization header.

In neither of these cases you need to sign the token, you already get them pre-signed, the signing keys exists so you can verify that the JWT tokens came from where you expect them to, be it the Bot Connector or the Bot Emulator.

CharlesO · August 17, 2022, 5:05am

Bot Emulator Returns a 401 error when trying to reuse an Authentication token received from it.

That’s my point of confusion here.

thomas.fortes · August 17, 2022, 5:27am

I’m not familiar with the bot framework, but can you show some code of how you’re building the requests to the emulator?

CharlesO · August 17, 2022, 5:32am


"Bearer " <> a = :proplists.get_value("authorization", hdrs)
    x = File.read!("_teams/menu.json") |> Jason.decode!(keys: :atoms)
    d = DateTime.truncate(DateTime.utc_now(), :millisecond)
    x = %{x | timestamp: DateTime.to_iso8601(d), channelId: m.channelId, serviceUrl: m.serviceUrl, conversation: m.conversation, id: m.id, replyToId: m.id, from: m.recipient, recipient: m.from}
    s = Jason.encode!(x)
    r = Tesla.post(@cli, "#{m.serviceUrl}/v3/conversations/#{m.conversation.id}/activities/#{m.id}", s, headers: [{"content-type", "application/json"}, {"authorization", "Bearer #{a}"}])
    log(r)

thomas.fortes · August 17, 2022, 6:06am

From this library it seems that when using the emulator you just pass Authorization: Bearer as the header, without anything else, can you try that?

If it doesn’t work I would recommend studying the library and see what they do, sorry for not being able to help more

CharlesO · August 17, 2022, 7:13am

my code above does just that, but no luck

thomas.fortes · August 17, 2022, 7:15am

Your code above sends Bearer some_token_here, I was talking about just Bearer, no token at all

CharlesO · August 17, 2022, 7:29am

This works → ignore auth for the Emulator.