Login/Register
iOS sending push with APNs Auth Key: suddenly "403 Forbidden: {"reason":"InvalidProviderToken"}"
Asked Answered
apple-push-notifications
I

9

39

I'm sending my push notifications with an APNs Auth Key ("never expires") which worked well until suddenly I get

403 Forbidden: {"reason":"InvalidProviderToken"}

as a response when sending push notifications. What could be the reason for this when it worked once and suddenly it doesn't without having an expiration date? In the meantime it worked again for some pushes, but now I get the error again... Did anyone else experience this?

EDIT

Not sure but it seems as if this only happens on the Ubuntu server, not on my local (OS X) machine...

Insistence answered 2/3, 2017 at 7:39 Comment(4)
So you are able to currently send some notifications, and only occasionally you get this 403?Dickdicken
Hey did you find out why? I cannot find the reason why I get the same error. 403 invalidProviderToken all my param seems correct and my jwt seems legit.Aloke
its okay i've created a new APNS auth token from the developer console and it seems to works properly now.Aloke
Maybe their clusters take some time to propagate invalidation changes? Or fail before all the changes are propagated? Might explain the on again, off again thing. Or the clocks might be off on some servers?Mansard
L
9

we have exactly the same problem when sending pushes to different team ids using the same connection. The steps to reproduce are:

  • Open a connection to APNS and use the same connection to:

  • Send a token based push to topic com.companyA.xxx of team id 1234: APNS accepts and delivers the push successfully.

  • Send a token based push to topic io.companyB.xxx of team id 5678: APNS responds HTTP 400 BadRequest The device token does not match the specified topic
  • Send again a token based push to topic io.companyB.xxx of team id 5678: APNS responds HTTP 403 Forbidden: the provider token is not valid or the token signature could not be verified.

After this it becomes impossible to send any push and the connection has to be closed and reopened.

The workaround we ended up doing is to open one connection per team id. The APNS documentation does not mention anything like that so I do consider this as a bug and I opened a bug report.

Logue answered 18/8, 2017 at 9:37 Comment(2)
Very interesting! Thanks for reporting this @Jan!Obliteration
as a follow up, I did ended up by contacting Apple and they confirmed that a connection must not be used for different team ids.Logue
N
8

I've seen this in a couple of circumstances:

  1. Resubmitting expired provider tokens seems to get the token blacklisted and results in subsequent InvalidProviderToken rejections rather than ExpiredProviderToken rejections. Check you logs for token expiry messages. Check your system clock to make sure that you're not generating tokens with skewed timestamps.

  2. Submitting to invalid topics will invalidate all provider tokens on the connection (even previously valid ones). Only submit to topics that the key is bound to and only use one key per connection.

Nedranedrah answered 15/5, 2017 at 23:33 Comment(0)
S
2

For me, there was an issue with bad configuration. I was using the wrong Team ID. Please make sure that all configuration is correct before you look into any other solutions.

Swordsman answered 1/4, 2019 at 6:2 Comment(1)
Had exactly this issue. Providing the wrong Team ID will also result in 403 InvalidProviderToken responses. The Team ID used to be displayed in the Developer portal in the App Prefix ID field, but it seems to have changed. Make sure to use the Team ID that is displayed in the upper right corner of the Developer portal, next to your team name.Mouthy
C
1

The server does respond with an InvalidToken and/or an ExpiredToken error. Your authentication token shouldn't contain any '=', '+', '-', Double check if your token hasn't this any of those. Also the signature (3rd part of the token, should be Base64URL encoded, so without the previous mentioned characters).

Compressive answered 18/5, 2017 at 19:40 Comment(0)
P
1

for me the server time was invalid, fixing the server time solved the issue

Plebeian answered 29/5, 2018 at 6:28 Comment(1)
the same with empty time, my iat parameter appeared to be empty stringTopless
V
1

I asked Apple to change my account from a personal account, to a business account. My push notification certificate still said everything was fine, but the notifications weren't working, and I was getting the response Invalid Token. Once I revoked the certificate and issued a new one (in apple connect), everything worked fine.

I wasted so much time trying to figure out why the push notifications weren't working. Hopefully this will save someone else some time!

Vascular answered 29/3, 2022 at 15:13 Comment(0)
A
0

I had been using the Name of the key instead of the Key ID. Verifying on https://developer.apple.com/account/resources/authkeys/review/ showed the correct value.

Assimilate answered 19/6, 2019 at 8:53 Comment(0)
B
0

My case is with the json pretty print format. Unlike musickit which can accept jwt pretty print format, the APNs only accept the raw format.

In details: My message was:

{
  "alg": "ES256",
  "kid": "SOMEKEYID"
}
{
  "iss": "SOMETEAM",
  "iat": 1581110460
}

I verified the result jwt via jwt.io, however the APNs keeps telling me InvalidProviderToken. I have tried everything above. No use.

Finally I changed the message to:

{"alg":"ES256","kid":"SOMEKEYID"}
{"iss":"SOMETEAM","iat":1581128155}

then it pass with no error.

Turns out APNs do not accept json pretty format!

Blackstone answered 8/2, 2020 at 2:30 Comment(1)
can you share AMGuru, your headers pairs ( hiding clearly private info ) of your request ?? because i tried to remove spaces but the "invalidprovider2 error persistClaudication
L
-1

Apple's APN documentation says:

APNs supports only provider authentication tokens that are signed with the ES256 algorithm. Unsecured JWTs [JSON Web Tokens], or JWTs signed with other algorithms, are rejected, and your provider server receives the InvalidProviderToken (403) response.

So, it appears that the problem is not with your auth kiey; it's actually an issue with the web token that was generated from your key.

Lumbricoid answered 9/3, 2017 at 22:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.