Closed ConfusedVorlon closed 1 year ago
I've seen some other issues complaining about this happening when there is no User-Agent included in the request. Since the Net::HTTP client has a default User-Agent my guess is that some other software in your stack has disabled sending the User-Agent header by Net::HTTP for some reason.
What happens if you manually configure the user-agent in Net::HTTP? If that works, then either set that in your stack or find what is preventing it from using the default value provided by the Net::HTTP library.
thanks for the response.
I'll give that a whirl. Do you know what the User-Agent should be? The apple endpoint docs don't say anything about a user-agent requirement...
Currently, it seems to default to Ruby
and that has been the case for quite some time. See https://github.com/ruby/net-http/blob/master/lib/net/http/generic_request.rb#L48
FWIW, apple doesn't seem require any user-agent when I make the call -- but others have reported that they do, so /shrug
curl -A '' -v --url https://appleid.apple.com/auth/keys
* Trying 17.111.105.242:443...
* Connected to appleid.apple.com (17.111.105.242) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; OU=IdMS Operations; CN=appleid.apple.com
* start date: Jun 9 00:00:00 2020 GMT
* expire date: Jun 9 12:00:00 2021 GMT
* subjectAltName: host "appleid.apple.com" matched cert's "appleid.apple.com"
* issuer: C=US; O=DigiCert, Inc.; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA-3
* SSL certificate verify ok.
> GET /auth/keys HTTP/1.1
> Host: appleid.apple.com
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Server: Apple
< Date: Wed, 03 Mar 2021 20:12:08 GMT
< Content-Type: application/json;charset=ISO-8859-1
< Content-Length: 1439
< Connection: keep-alive
< Cache-Control: no-store
< Pragma: no-cache
< Host: appleid.apple.com
ok - so, I believe I have pinned it down. Apple are being dicks. I set up a quick service to check what ua was actually being sent, and 'Ruby' is the default user agent for Net:HTTP in my setup (no idea why)
curl -A 'Ruby' -v --url https://appleid.apple.com/auth/keys
-> 403
curl -A '' -v --url https://appleid.apple.com/auth/keys
-> 200
In Ruby, Manually setting the user agent to be blank does the job (there may be a better way...)
#this works
uri = URI.parse("https://appleid.apple.com/auth/keys")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Get.new(uri.request_uri)
request['user-agent'] = ""
response = http.request(request)
Must be a regional thing then, cause apple seems fine with a Ruby
user-agent for me. I'm very near Cupertino though so ...
curl -A 'Ruby' -v --url https://appleid.apple.com/auth/keys
* Trying 17.111.105.242:443...
* Connected to appleid.apple.com (17.111.105.242) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; OU=IdMS Operations; CN=appleid.apple.com
* start date: Jun 9 00:00:00 2020 GMT
* expire date: Jun 9 12:00:00 2021 GMT
* subjectAltName: host "appleid.apple.com" matched cert's "appleid.apple.com"
* issuer: C=US; O=DigiCert, Inc.; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA-3
* SSL certificate verify ok.
> GET /auth/keys HTTP/1.1
> Host: appleid.apple.com
> User-Agent: Ruby
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Server: Apple
< Date: Wed, 03 Mar 2021 22:16:09 GMT
< Content-Type: application/json;charset=ISO-8859-1
< Content-Length: 1439
< Connection: keep-alive
< Cache-Control: no-store
< Pragma: no-cache
< Host: appleid.apple.com
that's just bizarre.
It seems like explicit empty user-agent may be the safe option. Would you accept a pull request if I make that change?
strangely - My London and Amsterdam servers are both fine with 'Ruby'. My New York server isn't. All running on Digital Ocean in broadly similar configurations.
From AWS us-east-1 in Virginia is working fine with Ruby
too.
I believe this is not a problem anymore.
in production, fetch_jwks fails with a 403 error
I don't think it is a problem with my server as running simple curl from the server works fine
opening the rails console and using Net:HTTP
any ideas?