Verify JWT Token

When the message is posted to your server from microsoft the only way to be sure it came from microsoft is to verify the signature on the JWT Token in the header. To do this we need to install the PyJWT and cryptography libraries. This can be a little tricky on some platforms.

Before you Start

On your local dev machine using the emulator you will have to disable the JWT validation. Pass the verify_jwt_signature argument to the MsBot object.

bot = MsBot(verify_jwt_signature=False)

Ubuntu Install

Install the required python libs. You can remove python-dev of python3-dev depending on which version of python you are using. or install both.

apt-get install build-essential libssl-dev libffi-dev python-dev python3-dev

You should then be able to install cryptography

pip install cryptography PyJWT

Windows Install

On windows you should just be able to use the following pip command. You should then be able to install cryptography

pip install cryptography PyJWT

Heroku Setup

To enable the JWT validation on Heorku update the requirements.txt to include the cryptography and PyJWT libs.

microsoftbotframework
cryptography
PyJWT