fix(msteams): accept Bot Framework audience in JWT validation (#58249)#62674
Conversation
Greptile SummaryThis PR replaces the Confidence Score: 5/5Safe to merge — all remaining findings are P2 style suggestions, no correctness or security issues. The implementation correctly enforces all JWT security invariants: signature via issuer-specific JWKS, audience allowlist, issuer allowlist, and clock-tolerant expiry. Only two minor P2 findings remain: an unused optional parameter in the return type signature, and a missing test for the STS Windows v1 issuer path. No files require special attention.
|
| return { | ||
| async validate(authHeader: string, serviceUrl?: string): Promise<boolean> { | ||
| async validate(authHeader: string): Promise<boolean> { |
There was a problem hiding this comment.
serviceUrl parameter in return type
The declared return type includes validate: (authHeader: string, serviceUrl?: string) => Promise<boolean>, but the implementation only accepts authHeader — the optional second argument is silently dropped. monitor.ts also calls validate(authHeader) without a service URL. Either remove the parameter from the return-type signature for a clean contract, or accept it as _serviceUrl to make the intentional omission explicit.
| return { | |
| async validate(authHeader: string, serviceUrl?: string): Promise<boolean> { | |
| async validate(authHeader: string): Promise<boolean> { | |
| async validate(authHeader: string, _serviceUrl?: string): Promise<boolean> { |
Prompt To Fix With AI
This is a comment left during a code review.
Path: extensions/msteams/src/sdk.ts
Line: 512-513
Comment:
**Unused `serviceUrl` parameter in return type**
The declared return type includes `validate: (authHeader: string, serviceUrl?: string) => Promise<boolean>`, but the implementation only accepts `authHeader` — the optional second argument is silently dropped. `monitor.ts` also calls `validate(authHeader)` without a service URL. Either remove the parameter from the return-type signature for a clean contract, or accept it as `_serviceUrl` to make the intentional omission explicit.
```suggestion
async validate(authHeader: string, _serviceUrl?: string): Promise<boolean> {
```
How can I resolve this? If you propose a fix, please make it concise.There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 831b89d645
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "jsonwebtoken": "^9.0.3", | ||
| "jwks-rsa": "^4.0.1" |
There was a problem hiding this comment.
Update lockfile alongside new msteams dependencies
Adding jsonwebtoken/jwks-rsa (and new dev typings) in extensions/msteams/package.json without updating pnpm-lock.yaml leaves the workspace lock out of sync; on any fresh checkout or CI lane that runs pnpm install --frozen-lockfile, install will fail because the extensions/msteams importer in the lockfile does not include these new specifiers yet.
Useful? React with 👍 / 👎.
#62674) * fix(msteams): use jsonwebtoken directly for JWT validation with correct audience (#58249) * chore(msteams): regenerate lockfile for jwt deps * fix(msteams): clean up unused serviceUrl parameter in JWT validator * test(msteams): cover STS issuer in JWT validation * fix(msteams): type jwt verify audiences and issuers --------- Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
…aw#58249) (openclaw#62674) * fix(msteams): use jsonwebtoken directly for JWT validation with correct audience (openclaw#58249) * chore(msteams): regenerate lockfile for jwt deps * fix(msteams): clean up unused serviceUrl parameter in JWT validator * test(msteams): cover STS issuer in JWT validation * fix(msteams): type jwt verify audiences and issuers --------- Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
…aw#58249) (openclaw#62674) * fix(msteams): use jsonwebtoken directly for JWT validation with correct audience (openclaw#58249) * chore(msteams): regenerate lockfile for jwt deps * fix(msteams): clean up unused serviceUrl parameter in JWT validator * test(msteams): cover STS issuer in JWT validation * fix(msteams): type jwt verify audiences and issuers --------- Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
…aw#58249) (openclaw#62674) * fix(msteams): use jsonwebtoken directly for JWT validation with correct audience (openclaw#58249) * chore(msteams): regenerate lockfile for jwt deps * fix(msteams): clean up unused serviceUrl parameter in JWT validator * test(msteams): cover STS issuer in JWT validation * fix(msteams): type jwt verify audiences and issuers --------- Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
Summary
@microsoft/teams.appsJwtValidatorwith directjsonwebtoken+jwks-rsafor webhook JWT validationhttps://api.botframework.comto the accepted audience list, matching the legacy@microsoft/agents-hostingbehaviorJwtValidatorhardcodes audience to[clientId, api://clientId]with no way to extend it, causing valid Bot Framework tokens to be rejectedWhat changed
sdk.ts:createBotFrameworkJwtValidatornow usesjsonwebtoken.verify()directly with audience[appId, api://appId, https://api.botframework.com]and issuer-specific JWKS endpoints (Bot Framework, Entra, STS Windows)sdk.test.ts: 8 new tests covering audience validation, issuer allowlist, signature failures, missing kid/issuer edge casespackage.json: Addedjsonwebtoken,jwks-rsa,@types/jsonwebtokenas explicit extension depsFixes #58249
Test plan
aud: "https://api.botframework.com"are now accepted🤖 Generated with Claude Code