Describe the issue
We have an Application Hosted Media bot running on a Virtual Machine in Azure Government Cloud. We have created an app registration for the Bot in Entra Id in our government cloud subscription with all of the necessary permissions, and have registered the Bot with Azure AI Services in the same subscription. The Microsoft Teams Channel has been enabled on the bot with "Enable calling" selected. Although we are not currently using Messaging, it is configured on the Teams Channel for GCC-High.
Using ICommunicationsClientBuilder, we have set the HostingEnvironmentConfiguration in the MediaPlatformSettings to AzureGovernment, and the ServiceBaseUrl is set to https://graph.microsoft.us/v1.0.
The bot can successfully join our meeting created in our Government Teams account, and our bot is receiving notifications via the callback URI.
However, when we attempt to validate incoming callbacks to the notification URL by checking the issuer and validating the signature we are not getting the expected results. We would expect the issuer and kid to come from the Metadata listed here https://apigcch.botframework.azure.us/v1/.well-known/OpenIdConfiguration, however we see the issuer is set to https://api.botframework.com/, and the kid does not seem to appear in any publicly available set of signing keys (the kid that is specified is Uhw054eTRsToSIF49D0D2uGrDao).
Expected behavior
Issuer on incoming webhook calls set to https://api.botframework.us, and a kid that is present in https://apigcch.botframework.azure.us/v1/.well-known/keys.
Graph SDK (please complete the following information):
- Version 5.101.0
- Microsoft.Skype.Bots.Media version 1.31.0.225
Describe the issue
We have an Application Hosted Media bot running on a Virtual Machine in Azure Government Cloud. We have created an app registration for the Bot in Entra Id in our government cloud subscription with all of the necessary permissions, and have registered the Bot with Azure AI Services in the same subscription. The Microsoft Teams Channel has been enabled on the bot with "Enable calling" selected. Although we are not currently using Messaging, it is configured on the Teams Channel for GCC-High.
Using ICommunicationsClientBuilder, we have set the HostingEnvironmentConfiguration in the MediaPlatformSettings to AzureGovernment, and the ServiceBaseUrl is set to https://graph.microsoft.us/v1.0.
The bot can successfully join our meeting created in our Government Teams account, and our bot is receiving notifications via the callback URI.
However, when we attempt to validate incoming callbacks to the notification URL by checking the issuer and validating the signature we are not getting the expected results. We would expect the issuer and kid to come from the Metadata listed here https://apigcch.botframework.azure.us/v1/.well-known/OpenIdConfiguration, however we see the issuer is set to https://api.botframework.com/, and the kid does not seem to appear in any publicly available set of signing keys (the kid that is specified is Uhw054eTRsToSIF49D0D2uGrDao).
Expected behavior
Issuer on incoming webhook calls set to https://api.botframework.us, and a kid that is present in https://apigcch.botframework.azure.us/v1/.well-known/keys.
Graph SDK (please complete the following information):