Skip to content

Commit

Permalink
Fix for Skills endorsement check (#6846)
Browse files Browse the repository at this point in the history
Co-authored-by: Tracy Boehrer <[email protected]>
  • Loading branch information
tracyboehrer and Tracy Boehrer committed Sep 9, 2024
1 parent a810e73 commit 070b32e
Showing 1 changed file with 4 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ private async Task<ClaimsPrincipal> ValidateTokenAsync(string jwtToken, string c
var keyId = parsedToken.SigningKey.KeyId;
var endorsements = await _endorsementsData.GetConfigurationAsync().ConfigureAwait(false);

// Note: On the Emulator Code Path, the endorsements collection is empty so the validation code
// Note: On the Emulator/Skills Code Path, the endorsements collection is empty so the validation code
// below won't run. This is normal.
if (!string.IsNullOrEmpty(keyId) && endorsements.TryGetValue(keyId, out var endorsementsForKey))
{
Expand All @@ -287,10 +287,10 @@ private async Task<ClaimsPrincipal> ValidateTokenAsync(string jwtToken, string c
}
else
{
// If we are to skip endorsement check, we want to double check we are in the emulator by explictly checking the token
// If we are to skip endorsement check, we want to double check we are in the emulator/skill by explicitly checking the token
// Instead of assuming that the token is from the emulator based on the empty endorsements collection
var originalAuthHeader = "Bearer " + jwtToken; // We have to add the Bearer scheme back in for the Emulator check
if (!EmulatorValidation.IsTokenFromEmulator(originalAuthHeader))
var originalAuthHeader = "Bearer " + jwtToken; // We have to add the Bearer scheme back in for the Emulator/Skill check
if (!EmulatorValidation.IsTokenFromEmulator(originalAuthHeader) && !SkillValidation.IsSkillToken(originalAuthHeader))
{
throw new UnauthorizedAccessException("Could not validate endorsement key.");
}
Expand Down

0 comments on commit 070b32e

Please sign in to comment.