Add TeamsExtension sample

src/Microsoft.Agents.SDK.sln

@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 17
-VisualStudioVersion = 17.2.32505.173
+# Visual Studio Version 18
+VisualStudioVersion = 18.0.10523.222 main
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Libraries", "Libraries", "{4269F3C3-6B42-419B-B64A-3E6DC0F1574A}"
 EndProject
@@ -123,6 +123,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "EmptyAgent", "samples\Empty
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "FullAuthentication", "samples\FullAuthentication\FullAuthentication.csproj", "{A6785A2A-A4C2-8F38-E9BB-4C5FD229F1F9}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TeamsAgent", "samples\Teams\TeamsAgent\TeamsAgent.csproj", "{D6410977-B795-C315-CC94-C2482E84BB4A}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -305,6 +307,10 @@ Global
 		{A6785A2A-A4C2-8F38-E9BB-4C5FD229F1F9}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{A6785A2A-A4C2-8F38-E9BB-4C5FD229F1F9}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{A6785A2A-A4C2-8F38-E9BB-4C5FD229F1F9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{D6410977-B795-C315-CC94-C2482E84BB4A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D6410977-B795-C315-CC94-C2482E84BB4A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D6410977-B795-C315-CC94-C2482E84BB4A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D6410977-B795-C315-CC94-C2482E84BB4A}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -367,6 +373,7 @@ Global
 		{72503E70-31C3-82E3-1E1D-52A6B0C5A808} = {0F9D3F0D-C131-4D3B-A86F-59CC781E8A02}
 		{E951C602-E9ED-F77D-8FC9-5272DB90D1DD} = {674A812C-7287-4883-97F9-697D83750648}
 		{A6785A2A-A4C2-8F38-E9BB-4C5FD229F1F9} = {674A812C-7287-4883-97F9-697D83750648}
+		{D6410977-B795-C315-CC94-C2482E84BB4A} = {674A812C-7287-4883-97F9-697D83750648}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {F1E8E538-309A-46F8-9CE7-AEC6589FAE60}

src/samples/FullAuthentication/AspNetExtensions.cs

@@ -3,6 +3,7 @@
 
 using Microsoft.Agents.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@@ -17,6 +18,7 @@
 using System.IdentityModel.Tokens.Jwt;
 using System.Linq;
 using System.Net.Http;
+using System.Security.Claims;
 using System.Threading.Tasks;
 
 namespace FullAuthentication;
@@ -44,6 +46,9 @@ public static class AspNetExtensions
     ///     "ValidIssuers": [
     ///       "{default:Public-AzureBotService}"
     ///     ],
+    ///     "AllowedCallers": [
+    ///       "*"
+    ///     ],
     ///     "IsGov": {optional:false},
     ///     "AzureBotServiceOpenIdMetadataUrl": optional,
     ///     "OpenIdMetadataUrl": optional,
@@ -58,12 +63,14 @@ public static class AspNetExtensions
     /// `AzureBotServiceOpenIdMetadataUrl` can be omitted.  In which case default values in combination with `IsGov` is used.
     /// `OpenIdMetadataUrl` can be omitted.  In which case default values in combination with `IsGov` is used.
     /// `AzureBotServiceTokenHandling` defaults to true and should always be true until Azure Bot Service sends Entra ID token.
+    /// `AllowedCallers` is optional and defaults to "*".  Otherwise, a list of AppId's the Agent will accept requests from.
     /// </remarks>
-    public static void AddAgentAspNetAuthentication(this IServiceCollection services, IConfiguration configuration, string tokenValidationSectionName = "TokenValidation", ILogger logger = null)
+    public static void AddAgentAspNetAuthentication(this IServiceCollection services, IConfiguration configuration, string tokenValidationSectionName = "TokenValidation", ILogger logger = null!)
     {
         IConfigurationSection tokenValidationSection = configuration.GetSection(tokenValidationSectionName);
-        List<string> validTokenIssuers = tokenValidationSection.GetSection("ValidIssuers").Get<List<string>>();
-        List<string> audiences = tokenValidationSection.GetSection("Audiences").Get<List<string>>();
+        List<string> validTokenIssuers = tokenValidationSection.GetSection("ValidIssuers")!.Get<List<string>>()!;
+        List<string> allowedCallers = tokenValidationSection.GetSection("AllowedCallers")!.Get<List<string>>()!;
+        List<string> audiences = tokenValidationSection.GetSection("Audiences")!.Get<List<string>>()!;
 
         if (!tokenValidationSection.Exists())
         {
@@ -85,7 +92,7 @@ public static void AddAgentAspNetAuthentication(this IServiceCollection services
                 "https://login.microsoftonline.com/69e9b82d-4842-4902-8d1e-abc5b98a55e8/v2.0",
             ];
 
-            string tenantId = tokenValidationSection["TenantId"];
+            string tenantId = tokenValidationSection["TenantId"]!;
             if (!string.IsNullOrEmpty(tenantId))
             {
                 validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidTokenIssuerUrlTemplateV1, tenantId));
@@ -102,21 +109,26 @@ public static void AddAgentAspNetAuthentication(this IServiceCollection services
         bool azureBotServiceTokenHandling = tokenValidationSection.GetValue("AzureBotServiceTokenHandling", true);
 
         // If the `AzureBotServiceOpenIdMetadataUrl` setting is not specified, use the default based on `IsGov`.  This is what is used to authenticate ABS tokens.
-        string azureBotServiceOpenIdMetadataUrl = tokenValidationSection["AzureBotServiceOpenIdMetadataUrl"];
+        string azureBotServiceOpenIdMetadataUrl = tokenValidationSection["AzureBotServiceOpenIdMetadataUrl"]!;
         if (string.IsNullOrEmpty(azureBotServiceOpenIdMetadataUrl))
         {
             azureBotServiceOpenIdMetadataUrl = isGov ? AuthenticationConstants.GovAzureBotServiceOpenIdMetadataUrl : AuthenticationConstants.PublicAzureBotServiceOpenIdMetadataUrl;
         }
 
         // If the `OpenIdMetadataUrl` setting is not specified, use the default based on `IsGov`.  This is what is used to authenticate Entra ID tokens.
-        string openIdMetadataUrl = tokenValidationSection["OpenIdMetadataUrl"];
+        string openIdMetadataUrl = tokenValidationSection["OpenIdMetadataUrl"]!;
         if (string.IsNullOrEmpty(openIdMetadataUrl))
         {
             openIdMetadataUrl = isGov ? AuthenticationConstants.GovOpenIdMetadataUrl : AuthenticationConstants.PublicOpenIdMetadataUrl;
         }
 
         TimeSpan openIdRefreshInterval = tokenValidationSection.GetValue("OpenIdMetadataRefresh", BaseConfigurationManager.DefaultAutomaticRefreshInterval);
 
+        _ = services.AddAuthorization(options =>
+        {
+            options.AddPolicy("AllowedCallers", policy => policy.Requirements.Add(new AllowedCallersPolicy(allowedCallers)));
+        });
+
         _ = services.AddAuthentication(options =>
         {
             options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
@@ -155,7 +167,7 @@ public static void AddAgentAspNetAuthentication(this IServiceCollection services
                         return;
                     }
 
-                    string[] parts = authorizationHeader?.Split(' ');
+                    string[] parts = authorizationHeader?.Split(' ')!;
                     if (parts.Length != 2 || parts[0] != "Bearer")
                     {
                         // Default to AadTokenValidation handling
@@ -165,7 +177,7 @@ public static void AddAgentAspNetAuthentication(this IServiceCollection services
                     }
 
                     JwtSecurityToken token = new(parts[1]);
-                    string issuer = token.Claims.FirstOrDefault(claim => claim.Type == AuthenticationConstants.IssuerClaim)?.Value;
+                    string issuer = token.Claims.FirstOrDefault(claim => claim.Type == AuthenticationConstants.IssuerClaim)?.Value!;
 
                     if (azureBotServiceTokenHandling && AuthenticationConstants.BotFrameworkTokenIssuer.Equals(issuer))
                     {
@@ -210,4 +222,46 @@ public static void AddAgentAspNetAuthentication(this IServiceCollection services
             };
         });
     }
+
+    class AllowedCallersPolicy(IList<string> allowedCallers) : IAuthorizationHandler, IAuthorizationRequirement
+    {
+        private readonly IList<string> _allowedCallers = allowedCallers ?? [];
+
+        public Task HandleAsync(AuthorizationHandlerContext context)
+        {
+            if (_allowedCallers.Count == 0 || _allowedCallers[0] == "*")
+            {
+                context.Succeed(this);
+                return Task.CompletedTask;
+            }
+
+            List<Claim> claims = [.. context.User.Claims];
+
+            // allow ABS
+            var issuer = claims.SingleOrDefault(claim => claim.Type == AuthenticationConstants.IssuerClaim);
+            if (AuthenticationConstants.BotFrameworkTokenIssuer.Equals(issuer))
+            {
+                context.Succeed(this);
+            }
+            else
+            {
+                // Get azp or appid claim 
+                var party = claims.SingleOrDefault(claim => claim.Type == AuthenticationConstants.AuthorizedParty);
+                party ??= claims.SingleOrDefault(claim => claim.Type == AuthenticationConstants.AppIdClaim);
+
+                // party must be in allowed list
+                bool isAllowed = party != null && _allowedCallers.Where(allowed => allowed == party.Value).Any();
+                if (isAllowed)
+                {
+                    context.Succeed(this);
+                }
+                else
+                {
+                    context.Fail();
+                }
+            }
+
+            return Task.CompletedTask;
+        }
+    }
 }