Forum Discussion

gabrield's avatar
gabrield
Copper Contributor
Aug 05, 2021

Bot authentication fails due to "Signing Key could not be retrieved at JwtTokenExtractor" error

Does anyone have any suggestions on how to resolve the below issue? 

 

TLDR

It seems like Microsoft Teams is sending my bot a key ID (ZyGh1GbBL8xd1kOxRYchc1VPSQQ) that is missing from Microsoft's list of well-known Open ID keys (https://login.botframework.com/v1/.well-known/keys). This means my bot is unable to authenticate messages that Microsoft Teams sends it.

 

Details

Today a couple of our development and staging apps started getting this error:

 

 

JwtTokenExtractor.getIdentity:err! AuthenticationError: Signing Key could not be retrieved
at JwtTokenExtractor.<anonymous> (/home/gabrielx/projects/oss/oss_ms_teams/node_modules/botframework-connector/lib/auth/jwtTokenExtractor.js:174:15)
at Generator.next (<anonymous>)
at fulfilled (/home/gabrielx/projects/oss/oss_ms_teams/node_modules/botframework-connector/src/auth/jwtTokenExtractor.ts:11:1)
at processTicksAndRejections (internal/process/task_queues.js:97:5) {
statusCode: 401
}

 

 

 

This is an expired, decoded JWT from the authorization header from a bot message that Teams sent to my development environment:

 

 

{
header: {
alg: 'RS256',
kid: 'ZyGh1GbBL8xd1kOxRYchc1VPSQQ',
typ: 'JWT',
x5t: 'ZyGh1GbBL8xd1kOxRYchc1VPSQQ'
},
payload: {
serviceurl: 'https://smba.trafficmanager.net/amer/',
nbf: 1628117449,
exp: 1628121049,
iss: 'https://api.botframework.com',
aud: '43f91f57-0c80-40a1-bdbb-79c2f2100ef3'
},
signature: 'yEg_trg3mNyA2noHZd20BAjjonR_YxU9hpTodceVQU1yYJmQR89mhJFNiA0QUZJXE95rsw-mGBVHkCQ5A6NUUgxYOs1Dr-9liSox8lm3xSykOIwnU6xLhoF54U6usRjq82es3hEvZbBZ160HVr3LAMagtBcfdS-SSY2SWDWL_FUpAGq835r-IIrSDzV8T5GVIWDFzNSPdqYGT_7iA2QOQDBnouh53V57TGPIBzvylmRyquLe3f_b4MBi4TdpLPXvmlQQejaW10WY2BolHewYVltrIw8q62av997wb4KOa7yh_ZgdaL-CfZAh3DSblzALwR6njPAIJhBttMqMOuBmSg'
}

 

 

 

When I check https://login.botframework.com/v1/.well-known/keys, I do not find the key ID ZyGh1GbBL8xd1kOxRYchc1VPSQQ that was in the above authorization header.

 

This happens whenever I send my bot a message via Teams. For example, if I type "help" when I am in a personal chat with the bot in https://teams.microsoft.com/

 

I have restarted my server many times to reset the in-process cache that Microsoft's openIdMetadata.js class maintains.

 

Versions
botbuilder 4.14.1
Node.js 12

 

  • gabrield 

     

    This seems like an issue with the cache. You can reopen this question if you face the same issue in future.

  • gabrield's avatar
    gabrield
    Copper Contributor
    When I came into work this morning, the problem had disappeared from all the apps that were experiencing it yesterday. I checked Microsoft's well-known keys endpoint, and the key ID that was missing yesterday is present today. So this problem is resolved.

    But I would still like to know where to submit a support contact if I find myself in a similar situation in the future. I am also interested to know if there was anything that I could have done myself to fix the situation that we were in for hours yesterday.
  • gabrield 

     

    This seems like an issue with the cache. You can reopen this question if you face the same issue in future.

Resources