Security: lock JsonWebToken trust-boundary contract#432
Open
corinagum wants to merge 2 commits into
Open
Conversation
corinagum
changed the title
lilyydu
approved these changes
May 22, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR clarifies the Teams Python SDK’s layered JWT authentication model by documenting that JsonWebToken is a post-validation typed accessor and does not itself verify token signatures (validation happens at the HTTP boundary).
Changes:
- Expanded
JsonWebToken.__init__docstring to explicitly state it performs no signature/issuer/audience/expiry validation and must not be constructed from untrusted input. - Added inline commentary near
jwt.decode(... verify_signature=False)to reinforce the upstream trust-boundary contract.
Comment on lines
+55
to
+57
| # Decode without verification for payload extraction. | ||
| # Signature verification happens upstream in TokenValidator; see the | ||
| # class docstring for the trust-boundary contract. |
Comment on lines
+44
to
+47
| ``TokenValidator.validate_token`` (packages/apps/src/microsoft_teams/ | ||
| apps/auth/token_validator.py). Internal callers may also construct from | ||
| tokens sourced from trusted identity infrastructure (MSAL, Bot Framework | ||
| API responses). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents the layered authentication model the SDK uses for inbound JSON Web Tokens. Python half of a 3-SDK PR set.
Why
Security scan finding "JsonWebToken No Signature Verification" flagged the
JsonWebTokenaccessor class for decoding tokens without verifying signatures (usesverify_signature=False). A cross-SDK audit confirmed this is intentional architecture: signature verification runs at the HTTP boundary inTokenValidator.validate_token(packages/apps/src/microsoft_teams/apps/auth/token_validator.py), and the accessor exists as a typed view over already-validated payloads. Every consumer of decoded claims is downstream of a validator pass.This PR makes the architectural invariant explicit at the constructor site so future readers (and the scanner on its next pass) see the design intent locally.
What
Contract docstring at
JsonWebToken.__init__explaining that it performs no signature verification, where verification actually happens, and the rule that callers must not construct from raw network input.What this does not change
JsonWebTokenkeeps its current name (verified public onmicrosoft_teams.api, so a rename would have been breaking).TokenValidator.validate_tokenexactly as before.Related PRs