Revert serviceUrl allowlist (ADO 5310460)

Libraries/Microsoft.Teams.Api/Auth/CloudEnvironment.cs

@@ -45,20 +45,14 @@ public class CloudEnvironment
     /// </summary>
     public string GraphScope { get; }
 
-    /// <summary>
-    /// Allowed service URL hostnames for this cloud environment.
-    /// </summary>
-    public IReadOnlyList<string> AllowedServiceUrls { get; }
-
     public CloudEnvironment(
         string loginEndpoint,
         string loginTenant,
         string botScope,
         string tokenServiceUrl,
         string openIdMetadataUrl,
         string tokenIssuer,
-        string graphScope,
-        string[]? allowedServiceUrls = null)
+        string graphScope)
     {
         LoginEndpoint = loginEndpoint.TrimEnd('/');
         LoginTenant = loginTenant;
@@ -67,7 +61,6 @@ public CloudEnvironment(
         OpenIdMetadataUrl = openIdMetadataUrl;
         TokenIssuer = tokenIssuer;
         GraphScope = graphScope;
-        AllowedServiceUrls = allowedServiceUrls is not null ? Array.AsReadOnly(allowedServiceUrls) : [];
     }
 
     /// <summary>
@@ -80,8 +73,7 @@ public CloudEnvironment(
         tokenServiceUrl: "https://token.botframework.com",
         openIdMetadataUrl: "https://login.botframework.com/v1/.well-known/openidconfiguration",
         tokenIssuer: "https://api.botframework.com",
-        graphScope: "https://graph.microsoft.com/.default",
-        allowedServiceUrls: ["smba.trafficmanager.net", "smba.onyx.prod.teams.trafficmanager.net", "smba.infra.gcc.teams.microsoft.com"]
+        graphScope: "https://graph.microsoft.com/.default"
     );
 
     /// <summary>
@@ -94,8 +86,7 @@ public CloudEnvironment(
         tokenServiceUrl: "https://tokengcch.botframework.azure.us",
         openIdMetadataUrl: "https://login.botframework.azure.us/v1/.well-known/openidconfiguration",
         tokenIssuer: "https://api.botframework.us",
-        graphScope: "https://graph.microsoft.us/.default",
-        allowedServiceUrls: ["smba.infra.gov.teams.microsoft.us"]
+        graphScope: "https://graph.microsoft.us/.default"
     );
 
     /// <summary>
@@ -108,8 +99,7 @@ public CloudEnvironment(
         tokenServiceUrl: "https://apiDoD.botframework.azure.us",
         openIdMetadataUrl: "https://login.botframework.azure.us/v1/.well-known/openidconfiguration",
         tokenIssuer: "https://api.botframework.us",
-        graphScope: "https://dod-graph.microsoft.us/.default",
-        allowedServiceUrls: ["smba.infra.dod.teams.microsoft.us"]
+        graphScope: "https://dod-graph.microsoft.us/.default"
     );
 
     /// <summary>
@@ -122,8 +112,7 @@ public CloudEnvironment(
         tokenServiceUrl: "https://token.botframework.azure.cn",
         openIdMetadataUrl: "https://login.botframework.azure.cn/v1/.well-known/openidconfiguration",
         tokenIssuer: "https://api.botframework.azure.cn",
-        graphScope: "https://microsoftgraph.chinacloudapi.cn/.default",
-        allowedServiceUrls: ["frontend.botapi.msg.infra.teams.microsoftonline.cn"]
+        graphScope: "https://microsoftgraph.chinacloudapi.cn/.default"
     );
 
     /// <summary>
@@ -137,12 +126,11 @@ public CloudEnvironment WithOverrides(
         string? tokenServiceUrl = null,
         string? openIdMetadataUrl = null,
         string? tokenIssuer = null,
-        string? graphScope = null,
-        string[]? allowedServiceUrls = null)
+        string? graphScope = null)
     {
         if (loginEndpoint is null && loginTenant is null && botScope is null &&
             tokenServiceUrl is null && openIdMetadataUrl is null && tokenIssuer is null &&
-            graphScope is null && allowedServiceUrls is null)
+            graphScope is null)
         {
             return this;
         }
@@ -154,8 +142,7 @@ tokenServiceUrl is null && openIdMetadataUrl is null && tokenIssuer is null &&
             tokenServiceUrl ?? TokenServiceUrl,
             openIdMetadataUrl ?? OpenIdMetadataUrl,
             tokenIssuer ?? TokenIssuer,
-            graphScope ?? GraphScope,
-            allowedServiceUrls ?? [.. AllowedServiceUrls]
+            graphScope ?? GraphScope
         );
     }
 

Libraries/Microsoft.Teams.Apps/App.cs

@@ -41,8 +41,6 @@ public partial class App
     internal IServiceProvider? Provider { get; set; }
     internal IContainer Container { get; set; }
 
-    private readonly IEnumerable<string>? _additionalAllowedDomains;
-    private readonly CloudEnvironment _cloud;
     internal string UserAgent
     {
         get
@@ -55,20 +53,13 @@ internal string UserAgent
     public App(AppOptions? options = null)
     {
         var cloud = options?.Cloud ?? CloudEnvironment.Public;
-        _cloud = cloud;
 
         Logger = options?.Logger ?? new ConsoleLogger();
         Storage = options?.Storage ?? new LocalStorage<object>();
         Credentials = options?.Credentials;
         Plugins = options?.Plugins ?? [];
         OAuth = options?.OAuth ?? new OAuthSettings();
         Provider = options?.Provider;
-        _additionalAllowedDomains = options?.AdditionalAllowedDomains;
-
-        if (_additionalAllowedDomains?.Contains("*") == true)
-        {
-            Logger.Warn("Service URL validation is disabled via wildcard in AdditionalAllowedDomains");
-        }
 
         TokenClient = new Common.Http.HttpClient();
         Client = options?.Client ?? options?.ClientFactory?.CreateClient() ?? new Common.Http.HttpClient();
@@ -386,11 +377,6 @@ private async Task<Response> Process(ISenderPlugin sender, ActivityEvent @event,
         Logger.Debug(path);
 
         var serviceUrl = @event.Activity.ServiceUrl ?? @event.Token.ServiceUrl;
-        if (!ServiceUrlValidator.IsAllowed(serviceUrl, _cloud, _additionalAllowedDomains))
-        {
-            Logger.Warn($"Rejected service URL: {serviceUrl}");
-            throw new InvalidOperationException("Service URL is not from an allowed domain");
-        }
 
         var reference = new ConversationReference()
         {

Libraries/Microsoft.Teams.Apps/AppOptions.cs

@@ -18,12 +18,6 @@ public class AppOptions
     public OAuthSettings OAuth { get; set; } = new OAuthSettings();
     public CloudEnvironment? Cloud { get; set; }
 
-    /// <summary>
-    /// Additional allowed service URL hostnames beyond the built-in defaults.
-    /// Use this if your bot receives activities from non-standard channels.
-    /// </summary>
-    public IEnumerable<string>? AdditionalAllowedDomains { get; set; }
-
     public AppOptions()
     {
 

Libraries/Microsoft.Teams.Extensions/Microsoft.Teams.Extensions.Configuration/Microsoft.Teams.Apps.Extensions/TeamsSettings.cs

@@ -11,7 +11,6 @@ public class TeamsSettings
     public string? ClientSecret { get; set; }
     public string? TenantId { get; set; }
     public string? Cloud { get; set; }
-    public string[]? AdditionalAllowedDomains { get; set; }
 
     /// <summary>Override the Azure AD login endpoint.</summary>
     public string? LoginEndpoint { get; set; }
@@ -81,11 +80,6 @@ public AppOptions Apply(AppOptions? options = null)
             existingCredentials.Cloud = cloud;
         }
 
-        if (AdditionalAllowedDomains is { Length: > 0 })
-        {
-            options.AdditionalAllowedDomains = AdditionalAllowedDomains;
-        }
-
         return options;
     }
 }