buford icon indicating copy to clipboard operation
buford copied to clipboard

Published 20 hours ago verified publisher icon RobotsAndPencils

Token Authentication with JSON Web Tokens (JWT)

Open nathany opened this issue 8 years ago • 6 comments

What's New in the Apple Push Notification Service https://developer.apple.com/videos/play/wwdc2016/724/

Starting with a review of the HTTP/2 based provider API, you will learn about an important new feature: Token Based Authentication. Learn to connect to APNs using authentication tokens for sending pushes via the HTTP/2 API, relieving you of the overhead associated with maintaining valid certificates.

TODO:

  • [ ] Refresh my knowledge of JWT
  • [x] Write example that uses a Go JWT library
  • [x] Get a signing Key from Apple to test this out
  • [ ] Review the APIs and dependencies
  • [ ] Documentation of Certificate and Token authentication options

nathany avatar Jun 15 '16 17:06 nathany

There are several JWT libraries for Go: https://godoc.org/?q=jwt

@groob suggests https://github.com/dgrijalva/jwt-go

Header: alg (algorithm) ES256 kid (key identifier used to sign the token)

Claims: iss (developer key ID) iat (seconds since epoch)

authorization = bearer thetoken

status 403 reason: InvalidProviderToken ExpiredProviderToken (within the last hour, reuse token as long as valid)

APNS will continue to support certificate authentication.

nathany avatar Jun 15 '16 19:06 nathany

The API needs to support both certificate and token based authentication.

It won't be necessary to load a certificate or configure the HTTP/2 client with Go 1.6.1 or better, instead just create a service:

service := push.NewService(http.DefaultClient, host)

Q: should it be necessary to import http just to specify http.DefaultClient or should nil do the same thing? (then either would work)

Perhaps authorization/bearer is just another push.Header with some other functions or instructions to help build it (depending on whether Buford does the JWT part or not). Also, there are more error reasons to add.

I kind've like the idea of letting the user do the JWT stuff themselves, or at least independent of the push package. Then just provide an example of using it.

It may make sense to move NewClient out of the push package as it is the only thing that requires the x/net/http2 dependency. Possibly into the certificate package?

nathany avatar Jun 15 '16 19:06 nathany

https://jwt.io/ does some validations against various (Go) libraries.

nathany avatar Jun 15 '16 20:06 nathany

~~This could remove the dependency on x/net/http2 which would mean NewClient could remain in the push package for users still using client certificates from Apple.~~

~~https://github.com/golang/go/issues/16581~~

nathany avatar Aug 12 '16 15:08 nathany

"At WWDC 2016, we announced token-based authentication, a new and simple way for notification providers to authenticate with the Apple Push Notification services (APNs) without the need for app-specific SSL certificates. Token-based authentication reduces the overhead of monitoring and renewing expiring certificates each year. In addition, you can use a single token to send notifications to each one of your apps."

nathany avatar Sep 15 '16 21:09 nathany

https://go-review.googlesource.com/c/net/+/53250

nathany avatar Nov 17 '17 05:11 nathany