ConfusedVorlon
commented
3 years ago the failure seems to be unrelated to my change. (the test fails if I revert to the previous version)
Closed ConfusedVorlon closed 1 year ago
ConfusedVorlon
commented
3 years ago the failure seems to be unrelated to my change. (the test fails if I revert to the previous version)
btalbot
commented
3 years ago These other reports claim the issue occurs when the user-agent is "not set" but that may actually mean simply left at the default of Ruby as the reports are unclear on that.
https://github.com/nhosoya/omniauth-apple/pull/47 https://github.com/nhosoya/omniauth-apple/pull/59
Either way, the culprit seems to be local as one of those reports is also from a Digital Ocean user. I doubt that setting it to an empty string is the correct fix and it's not clear to me what the proper value would be.
ConfusedVorlon
commented
3 years ago what do you suggest?
I have a repeatable case where 'Ruby' causes problems. (still the same 403 tonight) As you point out, 'Ruby' is what you get by default.
All the cases you or I have tested are fine with an empty string. The other issues you point to were actually failing with 'Ruby' - so I'm not the first to hit this.
so - we know that Ruby definitely fails sometimes, and have no reported cases of explicit blank failing. Apple's docs don't say anything about an expected user agent https://developer.apple.com/documentation/sign_in_with_apple/fetch_apple_s_public_key_for_verifying_token_signature
alternatively - how about an option to configure the user agent so that people can at least change it when they hit the 'Ruby' problem...
thoughts?
btalbot
commented
3 years ago I'm not the project owner or even a committer and can just make PR like anyone else. That said, my choice of change though would be to make the JWKS fetch use the same http client used by other components which make http requests: Faraday. The OAuth2 library underlying omniauth-apple uses Faraday so I would change the jwks fetch to use faraday as well.
Something like Faraday.get(url).body is the bare minimum but needs some error handling of course. Since the faraday library also allows global user-agent to be specified, that also allows it to be tunable if needed.
[edit] Note that whatever is currently blocking Ruby for some users might later start blocking anything else (like Faraday) so this is only a band-aid.
nov
commented
1 year ago I believe this is not a problem anymore.
as discussed in issue #70 , fetching keys from a NewYork digital ocean droplet fails with 403 if the user agent is 'Ruby'. @btalbot mentioned that he has seen reports like this elsewhere.
Blank useragent seems to be ok everywhere.