JWT Token Validation Not Rejecting Malformed Requests with CloudAdapter

[yashgandhi-32]

Description: I am using CloudAdapter from the botbuilder package and the createBotFrameworkAuthenticationFromConfiguration method for authentication. However, when I send a request with a malfunctioned JWT token, the request is not rejected by the SDK. I need guidance on how to secure the server to reject any requests that do not originate from Azure Bot Service.

Here’s a snippet of the authentication setup:

createBotFrameworkAuthenticationFromConfiguration(
    null,
    new ConfigurationServiceClientCredentialFactory({
      MicrosoftAppId: configService.get<string>('MICROSOFT_APP_ID'),
      MicrosoftAppPassword: configService.get<string>('MICROSOFT_APP_PASSWORD'),
      MicrosoftAppTenantId: configService.get<string>('MICROSOFT_APP_TENANT_ID'),
      MicrosoftAppType: configService.get<string>('MICROSOFT_APP_TYPE'),
    }),
  ),

Question: How can I ensure that only valid requests from Azure Bot Service with proper JWT tokens are accepted, and any malformed requests are rejected? Is there additional validation or middleware I should implement?

[Meghana-MSFT]

@yashgandhi-32 - We will check this internally and get back to you.

[yashgandhi-32]

@Meghana-MSFT any update?

[Meghana-MSFT]

@yashgandhi-32 - We are checking this internally with engineering team. We will get back to you with an update.

[yashgandhi-32]

@Meghana-MSFT Its been a month .. could you tell me what's the update ?

[yashgandhi-32]

@Meghana-MSFT BUMP again any update on it ?

[Meghana-MSFT]

@yashgandhi-32 - Apologies for the delay, we are checking this internally. We will update you.