appstore connect fails on certain a workstation

[doronz88]

Hi,

I tried using the ipsw appstore profile ls command line tool, but on various different workstations I get the expected output, while on a specific one I always get the same error:

   ⨯ 401 Unauthorized: NOT_AUTHORIZED: Authentication credentials are missing or invalid. (Provide a properly configured and signed bearer token, and make sure that it has not expired. Learn more about Generating Tokens for API Requests https://developer.apple.com/go/?id=api-generating-tokens)

I double-checked to verify the same parameters were passed correctly.

[blacktop]

So one thing that the ipsw appstore profile ls command does is generate a 5min long JWT to perform all the web requests.

I wonder if you've created a JWT for one machine, but then try and run on another machine and it rejects it because you still have a JWT that is alive on another machine?

I could change the duration to only 10-30 secs OR I could add support for long lived JWT tokens and let you use those instead of the --p8, --iss and --kid flags?

[blacktop]

I added a 🆕 ipsw appstore token --lifetime 10d command to let the user generate reusable tokens that the other commands will accept inplace of the --p8, --iss and --kid flags.

[blacktop]

IF that also fails then I think Apple doesn't like that other workstation's IP 😬

[doronz88]

This results in an error:

   ⨯ invalid argument "10d" for "-l, --lifetime" flag: time: unknown unit "d" in duration "10d"

[doronz88]

I used 87600h instead. Then I tried using the newly created jwt token, but got:

   ⨯ 401 Unauthorized: NOT_AUTHORIZED: Authentication credentials are missing or invalid. (Provide a properly configured and signed bearer token, and make sure that it has not expired. Learn more about Generating Tokens for API Requests https://developer.apple.com/go/?id=api-generating-tokens)

[doronz88]

IF that also fails then I think Apple doesn't like that other workstation's IP 😬

The second workstation had the same IP

[blacktop]

This results in an error:

   ⨯ invalid argument "10d" for "-l, --lifetime" flag: time: unknown unit "d" in duration "10d"

dang :( I looked at the docs for golang duration syntax and it said it understood days, but looking at the flag library it looks like it only understands h, m, s

[blacktop]

I used 87600h instead. Then I tried using the newly created jwt token, but got:

   ⨯ 401 Unauthorized: NOT_AUTHORIZED: Authentication credentials are missing or invalid. (Provide a properly configured and signed bearer token, and make sure that it has not expired. Learn more about Generating Tokens for API Requests https://developer.apple.com/go/?id=api-generating-tokens)

there might be some kind of a limit on the time Apple is enforcing, what about making it a 10h JWT?

[blacktop]

from that link that Apple sent you in the error: Tokens that expire more than 20 minutes into the future

[blacktop]

Reading the Apple docs they say to use short term JWTs which is what I was originally doing, but think I was making tokens that lasted too long so now they are a minute.

[blacktop]

https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests/

[doronz88]

Since I cannot make JWT token last longer I still use the "old" method. Then from a specific mac I still get the following error:

   ⨯ 401 Unauthorized: NOT_AUTHORIZED: Authentication credentials are missing or invalid. (Provide a properly configured and signed bearer token, and make sure that it has not expired. Learn more about Generating Tokens for API Requests https://developer.apple.com/go/?id=api-generating-tokens)

[blacktop]

Did you start on the machine that doesn't work? How much time passed between trying on different machines?

[doronz88]

I tried all possible combinations.

• Created profile on machine A and renew on A
• Created profile on machine B and renew on B
• Created profile on machine A and renew on B
• Created profile on machine B and renew on A

Only machine B cannot do anything using the connect API. I did all of it on machine C also and it worked - so it must be some other dependency or something in that area.

Instead, if going to Apple's website it works just fine from all machines.

Also, they are all on the same router and going through same IP.

[blacktop]

that is very strange indeed. I'm not sure what else to try. those ipsw appstore commands are just using stdlib HTTP commands, to talk to a RESTful API, and crypto and is all statically compiled so the host should make 0 difference. The Apple error coming back is about the auth to the Apple server so to me that means that the --p8 key is bad on that machine OR the --iss or the --kid is wrong?

[doronz88]

I even tried to transfer them all as a zip file with a shell script to test to make sure all the parameters are really okay. I also don't have a clue why is difference

[blacktop]

if you generate a JWT on a machine that works and then use that JWT on the machine that does NOT work, does that work? ipsw appstore token --lifetime 20m and then ipsw profile ls --jwt TOKEN ?

[doronz88]

if you generate a JWT on a machine that works and then use that JWT on the machine that does NOT work, does that work? ipsw appstore token --lifetime 20m and then ipsw profile ls --jwt TOKEN ?

This works, but since only for 20m its not too viable

[blacktop]

ya the 20mins isn't very usable at all, but it does prove that the token generated on one machine works on another. So the only thing I could imagine is that the JWT lib is the issue? as all other components are stdlib. I have no idea how to test. I know that there are JWT parsers online etc. I'd be curious what differences could be spotted when comparing the tokens generated by both machines. Also are they running the same version of ipsw?