DeviceCheck 400 Bad Request; Missing or badly formatted authorization token.

Question

collaatje OP

Created Sep ’17

Replies 6

Boosts 0

Views 4.9k

Participants 5

Hi all,

I've been trying to get this DeviceCheck to work for a while now. But I keep getting this error:

HTTP/1.0 400 Bad Request; Missing or badly formatted authorization token.

I've tried it with NodeJS in the following way:

var jwt = require('jsonwebtoken');
var cert = fs.readFileSync('AuthKey_###.p8');
var jwToken = jwt.sign({}, cert, { algorithm: 'ES256', keyid: "#p8KeyID#", issuer: "#teamID#"});

And in PHP:

use Zenstruck\JWT\Token;
use Zenstruck\JWT\Signer\OpenSSL\ECDSA\ES256;
use \Ramsey\Uuid\Uuid;


function generateJWT($teamId, $keyId, $privateKeyFilePath) {
    $payload = [
        "iss" => $teamId,
        "iat" => time()
    ];


    $header = [
        "kid" => $keyId
    ];


    $token = new Token($payload, $header);
    return (string)$token->sign(new ES256(), $privateKeyFilePath);
}

Neither of those two scripts work. Both are getting the previously mentioned error. I am adding the "Authorization: Bearer " header with the JWT appended. So it's definitely there.

Have the DeviceCheck services not been working for a while now? Or am I generating the JWT in a wrong way?

Thanks in advance,

Tim

Boost

Answer 1

collaatje OP

Sep ’17

The error for the NodeJS script is now:

Unable to verify authorization token

Not sure if that's a different error to "Missing or badly formatted authorization token."

0

Answer 2

mndgs OP

Sep ’17

It does work, just keep in mind that the token from the device is valid only for 1 minute,

Also - for some reason header field for jwt is case sensitive so make sure it is capitalized like in the samples (it took me some time to find it as push notifications worked with the some old code but devicecheck did not):

"Authorization: Bearer $jwt"

1

Answer 3

collaatje OP

Sep ’17

Thanks for the reply!

I'm definitely within the 1 minute range. The token is being sent to my local server from the device and then straight up to the Apple APIs, so that shouldn't be the problem. I have the headers correctly capitalized as you mentioned.

I've tried a few libraries to generate the JWT, but no luck. Even tried an old push notifications script like you, but no luck. Would you mind sharing what way you're generating your JWT?

Cheers,

Tim

0

Answer 4

collaatje OP

Sep ’17

Accepted Answer

So the way I was getting the p8 key was wrong. Such a silly mistake...

Instead of (correct):

var cert = fs.readFileSync('AuthKey_###.p8').toString();

I had (incorrect):

var cert = fs.readFileSync('AuthKey_###.p8');

I found the solution to my problem in the answer to this question:

https://forums.developer.apple.com/message/233682#233682

0

Answer 5

gc. OP

Oct ’17

The error "Missing or badly formatted authorization token" can also mean that the app requesting a DeviceCheck device token doesn't have an explicit App ID defined in your developer account.

--gc

0

Answer 6

jmf OP

Jan ’18

?Re: 'The error "Missing or badly formatted authorization token" can also mean that the app requesting a DeviceCheck device token doesn't have an explicit App ID defined in your developer account.'

For my project, the profiles and entitlements that I've always used to publish apps use an application identifier like this: xxxx.com.companyname.subdomain.*

Is this likely to cause an issue resulting in "Missing or badly formatted authorization token"

0