SOLVED

Bot authentication fails due to "Signing Key could not be retrieved at JwtTokenExtractor" error

%3CLINGO-SUB%20id%3D%22lingo-sub-2613121%22%20slang%3D%22en-US%22%3EBot%20authentication%20fails%20due%20to%20%22Signing%20Key%20could%20not%20be%20retrieved%20at%20JwtTokenExtractor%22%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2613121%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20have%20any%20suggestions%20on%20how%20to%20resolve%20the%20below%20issue%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETLDR%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIt%20seems%20like%20Microsoft%20Teams%20is%20sending%20my%20bot%20a%20key%20ID%20(ZyGh1GbBL8xd1kOxRYchc1VPSQQ)%20that%20is%20missing%20from%20Microsoft's%20list%20of%20well-known%20Open%20ID%20keys%20(%3CA%20href%3D%22https%3A%2F%2Flogin.botframework.com%2Fv1%2F.well-known%2Fkeys%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.botframework.com%2Fv1%2F.well-known%2Fkeys%3C%2FA%3E).%20This%20means%20my%20bot%20is%20unable%20to%20authenticate%20messages%20that%20Microsoft%20Teams%20sends%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EDetails%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EToday%20a%20couple%20of%20our%20development%20and%20staging%20apps%20started%20getting%20this%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EJwtTokenExtractor.getIdentity%3Aerr!%20AuthenticationError%3A%20Signing%20Key%20could%20not%20be%20retrieved%0Aat%20JwtTokenExtractor.%3CANONYMOUS%3E%20(%2Fhome%2Fgabrielx%2Fprojects%2Foss%2Foss_ms_teams%2Fnode_modules%2Fbotframework-connector%2Flib%2Fauth%2FjwtTokenExtractor.js%3A174%3A15)%0Aat%20Generator.next%20(%3CANONYMOUS%3E)%0Aat%20fulfilled%20(%2Fhome%2Fgabrielx%2Fprojects%2Foss%2Foss_ms_teams%2Fnode_modules%2Fbotframework-connector%2Fsrc%2Fauth%2FjwtTokenExtractor.ts%3A11%3A1)%0Aat%20processTicksAndRejections%20(internal%2Fprocess%2Ftask_queues.js%3A97%3A5)%20%7B%0AstatusCode%3A%20401%0A%7D%3C%2FANONYMOUS%3E%3C%2FANONYMOUS%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20an%20expired%2C%20decoded%20JWT%20from%20the%20authorization%20header%20from%20a%20bot%20message%20that%20Teams%20sent%20to%20my%20development%20environment%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%7B%0Aheader%3A%20%7B%0Aalg%3A%20'RS256'%2C%0Akid%3A%20'ZyGh1GbBL8xd1kOxRYchc1VPSQQ'%2C%0Atyp%3A%20'JWT'%2C%0Ax5t%3A%20'ZyGh1GbBL8xd1kOxRYchc1VPSQQ'%0A%7D%2C%0Apayload%3A%20%7B%0Aserviceurl%3A%20'https%3A%2F%2Fsmba.trafficmanager.net%2Famer%2F'%2C%0Anbf%3A%201628117449%2C%0Aexp%3A%201628121049%2C%0Aiss%3A%20'https%3A%2F%2Fapi.botframework.com'%2C%0Aaud%3A%20'43f91f57-0c80-40a1-bdbb-79c2f2100ef3'%0A%7D%2C%0Asignature%3A%20'yEg_trg3mNyA2noHZd20BAjjonR_YxU9hpTodceVQU1yYJmQR89mhJFNiA0QUZJXE95rsw-mGBVHkCQ5A6NUUgxYOs1Dr-9liSox8lm3xSykOIwnU6xLhoF54U6usRjq82es3hEvZbBZ160HVr3LAMagtBcfdS-SSY2SWDWL_FUpAGq835r-IIrSDzV8T5GVIWDFzNSPdqYGT_7iA2QOQDBnouh53V57TGPIBzvylmRyquLe3f_b4MBi4TdpLPXvmlQQejaW10WY2BolHewYVltrIw8q62av997wb4KOa7yh_ZgdaL-CfZAh3DSblzALwR6njPAIJhBttMqMOuBmSg'%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20check%20%3CA%20href%3D%22https%3A%2F%2Flogin.botframework.com%2Fv1%2F.well-known%2Fkeys%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.botframework.com%2Fv1%2F.well-known%2Fkeys%3C%2FA%3E%2C%20I%20do%20not%20find%20the%20key%20ID%20ZyGh1GbBL8xd1kOxRYchc1VPSQQ%20that%20was%20in%20the%20above%20authorization%20header.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20happens%20whenever%20I%20send%20my%20bot%20a%20message%20via%20Teams.%20For%20example%2C%20if%20I%20type%20%22help%22%20when%20I%20am%20in%20a%20personal%20chat%20with%20the%20bot%20in%20%3CA%20href%3D%22https%3A%2F%2Fteams.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fteams.microsoft.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20restarted%20my%20server%20many%20times%20to%20reset%20the%20in-process%20cache%20that%20Microsoft's%20openIdMetadata.js%20class%20maintains.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EVersions%3C%2FSTRONG%3E%3CBR%20%2F%3Ebotbuilder%204.14.1%3CBR%20%2F%3ENode.js%2012%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2613121%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2617565%22%20slang%3D%22en-US%22%3ERe%3A%20Bot%20authentication%20fails%20due%20to%20%22Signing%20Key%20could%20not%20be%20retrieved%20at%20JwtTokenExtractor%26amp%3Bqu%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2617565%22%20slang%3D%22en-US%22%3EWhen%20I%20came%20into%20work%20this%20morning%2C%20the%20problem%20had%20disappeared%20from%20all%20the%20apps%20that%20were%20experiencing%20it%20yesterday.%20I%20checked%20Microsoft's%20well-known%20keys%20endpoint%2C%20and%20the%20key%20ID%20that%20was%20missing%20yesterday%20is%20present%20today.%20So%20this%20problem%20is%20resolved.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20I%20would%20still%20like%20to%20know%20where%20to%20submit%20a%20support%20contact%20if%20I%20find%20myself%20in%20a%20similar%20situation%20in%20the%20future.%20I%20am%20also%20interested%20to%20know%20if%20there%20was%20anything%20that%20I%20could%20have%20done%20myself%20to%20fix%20the%20situation%20that%20we%20were%20in%20for%20hours%20yesterday.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2626921%22%20slang%3D%22en-US%22%3ERe%3A%20Bot%20authentication%20fails%20due%20to%20%22Signing%20Key%20could%20not%20be%20retrieved%20at%20JwtTokenExtractor%26amp%3Bqu%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2626921%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F825415%22%20target%3D%22_blank%22%3E%40gabrield%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20seems%20like%20an%20issue%20with%20the%20cache.%20You%20can%20reopen%20this%20question%20if%20you%20face%20the%20same%20issue%20in%20future.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Does anyone have any suggestions on how to resolve the below issue? 

 

TLDR

It seems like Microsoft Teams is sending my bot a key ID (ZyGh1GbBL8xd1kOxRYchc1VPSQQ) that is missing from Microsoft's list of well-known Open ID keys (https://login.botframework.com/v1/.well-known/keys). This means my bot is unable to authenticate messages that Microsoft Teams sends it.

 

Details

Today a couple of our development and staging apps started getting this error:

 

 

JwtTokenExtractor.getIdentity:err! AuthenticationError: Signing Key could not be retrieved
at JwtTokenExtractor.<anonymous> (/home/gabrielx/projects/oss/oss_ms_teams/node_modules/botframework-connector/lib/auth/jwtTokenExtractor.js:174:15)
at Generator.next (<anonymous>)
at fulfilled (/home/gabrielx/projects/oss/oss_ms_teams/node_modules/botframework-connector/src/auth/jwtTokenExtractor.ts:11:1)
at processTicksAndRejections (internal/process/task_queues.js:97:5) {
statusCode: 401
}

 

 

 

This is an expired, decoded JWT from the authorization header from a bot message that Teams sent to my development environment:

 

 

{
header: {
alg: 'RS256',
kid: 'ZyGh1GbBL8xd1kOxRYchc1VPSQQ',
typ: 'JWT',
x5t: 'ZyGh1GbBL8xd1kOxRYchc1VPSQQ'
},
payload: {
serviceurl: 'https://smba.trafficmanager.net/amer/',
nbf: 1628117449,
exp: 1628121049,
iss: 'https://api.botframework.com',
aud: '43f91f57-0c80-40a1-bdbb-79c2f2100ef3'
},
signature: 'yEg_trg3mNyA2noHZd20BAjjonR_YxU9hpTodceVQU1yYJmQR89mhJFNiA0QUZJXE95rsw-mGBVHkCQ5A6NUUgxYOs1Dr-9liSox8lm3xSykOIwnU6xLhoF54U6usRjq82es3hEvZbBZ160HVr3LAMagtBcfdS-SSY2SWDWL_FUpAGq835r-IIrSDzV8T5GVIWDFzNSPdqYGT_7iA2QOQDBnouh53V57TGPIBzvylmRyquLe3f_b4MBi4TdpLPXvmlQQejaW10WY2BolHewYVltrIw8q62av997wb4KOa7yh_ZgdaL-CfZAh3DSblzALwR6njPAIJhBttMqMOuBmSg'
}

 

 

 

When I check https://login.botframework.com/v1/.well-known/keys, I do not find the key ID ZyGh1GbBL8xd1kOxRYchc1VPSQQ that was in the above authorization header.

 

This happens whenever I send my bot a message via Teams. For example, if I type "help" when I am in a personal chat with the bot in https://teams.microsoft.com/

 

I have restarted my server many times to reset the in-process cache that Microsoft's openIdMetadata.js class maintains.

 

Versions
botbuilder 4.14.1
Node.js 12

 

2 Replies
When I came into work this morning, the problem had disappeared from all the apps that were experiencing it yesterday. I checked Microsoft's well-known keys endpoint, and the key ID that was missing yesterday is present today. So this problem is resolved.

But I would still like to know where to submit a support contact if I find myself in a similar situation in the future. I am also interested to know if there was anything that I could have done myself to fix the situation that we were in for hours yesterday.
best response confirmed by gabrield (New Contributor)
Solution

@gabrield 

 

This seems like an issue with the cache. You can reopen this question if you face the same issue in future.

www.000webhost.com