2

I am trying to verify Authorization token from Microsoft Bot Framework Channel Emulator according to the documentation.

I retrieve OpenId metadata document from https://api.aps.skype.com/v1/.well-known/openidconfiguration and download keys from https://api.aps.skype.com/v1/keys.

When I send a message from Emulator to my bot, I get a request to /api/messages with Authorization header which contains JWT token. The token header contains this information

{
  'alg': 'RS256',
  'kid': 'YbRAQRYcE_motWVJKHrwLBbd_9s',
  'x5t': 'YbRAQRYcE_motWVJKHrwLBbd_9s',
  'typ': 'JWT'
}

According to the kid value, I choose this JWK key

{
  "kty": "RSA",
  "use": "sig",
  "kid": "YbRAQRYcE_motWVJKHrwLBbd_9s",
  "x5t": "YbRAQRYcE_motWVJKHrwLBbd_9s",
  "n": "vbcFrj193Gm6zeo5e2_y54Jx49sIgScv-2JO-n6NxNqQaKVnMkHcz-S1j2FfpFngotwGMzZIKVCY1SK8SKZMFfRTU3wvToZITwf3W1Qq6n-h-abqpyJTaqIcfhA0d6kEAM5NsQAKhfvw7fre1QicmU9LWVWUYAayLmiRX6o3tktJq6H58pUzTtx_D0Dprnx6z5sW-uiMipLXbrgYmOez7htokJVgDg8w-yDFCxZNo7KVueUkLkxhNjYGkGfnt18s7ZW036WoTmdaQmW4CChf_o4TLE5VyGpYWm7I_-nV95BBvwlzokVVKzveKf3l5UU3c6PkGy-BB3E_ChqFm6sPWw",
  "e": "AQAB",
  "x5c": ["MIIC4jCCAcqgAwIBAgIQfQ29fkGSsb1J8n2KueDFtDANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE2MDQxNzAwMDAwMFoXDTE4MDQxNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL23Ba49fdxpus3qOXtv8ueCcePbCIEnL/tiTvp+jcTakGilZzJB3M/ktY9hX6RZ4KLcBjM2SClQmNUivEimTBX0U1N8L06GSE8H91tUKup/ofmm6qciU2qiHH4QNHepBADOTbEACoX78O363tUInJlPS1lVlGAGsi5okV+qN7ZLSauh+fKVM07cfw9A6a58es+bFvrojIqS1264GJjns+4baJCVYA4PMPsgxQsWTaOylbnlJC5MYTY2BpBn57dfLO2VtN+lqE5nWkJluAgoX/6OEyxOVchqWFpuyP/p1feQQb8Jc6JFVSs73in95eVFN3Oj5BsvgQdxPwoahZurD1sCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAe5RxtMLU2i4/vN1YacncR3GkOlbRv82rll9cd5mtVmokAw7kwbFBFNo2vIVkun+n+VdJf+QRzmHGm3ABtKwz3DPr78y0qdVFA3h9P60hd3wqu2k5/Q8s9j1Kq3u9TIEoHlGJqNzjqO7khX6VcJ6BRLzoefBYavqoDSgJ3mkkYCNqTV2ZxDNks3obPg4yUkh5flULH14TqlFIOhXbsd775aPuMT+/tyqcc6xohU5NyYA63KtWG1BLDuF4LEF84oNPcY9i0n6IphEGgz20H7YcLRNjU55pDbWGdjE4X8ANb23kAc75RZn9EY4qYCiqeIAg3qEVKLnLUx0fNKMHmuedjg=="],
  "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0"
}

For token verification I use pyjwt. And here I don't know what key to use for token verification in jwt.decode() function.

jwt.decode(token, key=key_from_skype_com)

For both n and x5c fields I tried these options:

  • pass them as is out of desperation
  • base64url-decode them
  • base64url-decode them and load with load_der_public_key() function from cryptography package

Cryptography code

from cryptography.hazmat import backends
from cryptography.hazmat.primitives import serialization
serialization.load_der_public_key(decoded_key, backend=backends.default_backend())

It seems that n field of JWK is base64-urlsafe encoded and x5c is just base64 encoded. So I decoded them appropriately.

I am not a cryptography expert. I tried searching MS documentation which mostly contain examples on using their SDK for Node.js and C#. And I read RFC 7517 and RFC 7515 but found no specific information.

Community
  • 1
  • 1
skoval00
  • 629
  • 5
  • 7
  • I found a solution to my problem in [this pull-request](https://github.com/jpadilla/pyjwt/pull/202). I will edit question and add a proper answer later. – skoval00 Sep 23 '16 at 17:15

0 Answers0