DeviceCheck started rejecting requests with 401 "Unable to verify authorization token" responses
| Originator: | johnbrayton | ||
| Number: | rdar://47950254 | Date Originated: | 2019-02-10 |
| Status: | open | Resolved: | |
| Product: | DeviceCheck API Server | Product Version: | |
| Classification: | Bug | Reproducible: | Always |
Summary:
I have been using the DeviceCheck API to verify that requests to my server are coming from devices running my app. On or about February 7, 2019, my requests to api.devicecheck.apple.com started failing with 401 status codes and the text "Unable to verify authorization token".
I attached a curl command for a request I initially sent on February 10, 2019, at 19:22:47 UTC.
The authorization token was:
[REDACTED]
My JWT library decoded that token as having the following data:
payload: {"iss"=>"[REDACTED]", "iat"=>1549826566}
header: {"alg"=>"ES256", "kid"=>"[REDACTED]"}
My Key ID is "[REDACTED]" and my Team ID is "[REDACTED]".
Am I doing something wrong, or is there a reason that api.devicecheck.apple.com would stop accepting my DeviceCheck API tokens?
Steps to Reproduce:
1. Issue the curl command from the attachment.
Expected Results:
I expected the server to return a 200 response.
Actual Results:
It returned a 401 response with the text "Unable to verify authorization token".
Version/Build:
I don't have a version number for the server, but tokens generated by my code stopped working on or about February 7, 2019.
Configuration:
N/A
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!