Before I always had to give push notifications certificates (p12 files) to the server developer, so he could send push notifications to my applications.
But as far as I understand now it's possible to do without these certificates according to https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/APNsProviderAPI.html#//apple_ref/doc/uid/TP40008194-CH101-SW1
According to Apple:
A provider authentication token is a JSON object that you construct, whose header must include:
The encryption algorithm (alg) you use to encrypt the token
A 10-character key identifier (kid) key, obtained from your developer account
The claims payload of the token must include:
The issuer (iss) registered claim key, whose value is your 10-character Team ID, obtained from your developer account
The issued at (iat) registered claim key, whose value indicates the time at which the token was generated, in terms of the number of seconds since Epoch, in UTC
The question is where to take these kid, iss, iat values from the developer account?
Actually I've watched the video from WWDC https://www.youtube.com/watch?v=IDBCTvHrix8, it explained almost everything.
1) for kid you need to https://developer.apple.com -> Certificates, Identifiers & Profiles -> APNs Auth Key -> Press + button -> choose Apple Push Notification Authentication Key (Sandbox & Production) (it was added not so long ago) -> After you create it, you will see Key ID in this item (new item will appear in APNs Auth Key menu). This is your kid value
2) iss is your team ID, to take it you need to Certificates, Identifiers & Profiles -> Identifiers -> App IDs -> Press on any of your App IDs (if you don't have any, you need to create one for your application) -> you will see the details where you will see Prefix: 8jkjlj2k . This is your team ID and it will be the same for all your apps in your developer account.
3) iat : As far as I understand it's the time when server developer generated the token on his side, so you don't need to provide this value to the server developer
Related
I had a lot of trouble getting through this because much of the information out there was out of date. I figured I'd post my own Q and A.
1) Login to developer.apple.com with your membership ID and go to Certificates, Identifiers and Profiles
2) Go to the keys section
3) Click add, give the key a memorable name and enable APNs
4) Pay attention to the Key ID (note it)
5) Download the .p8 file that gets created, open it in textedit (or some editor) and copy the key that's inside. Mine had -----BeginRequest ----EndRequest... I just ignored that and copied the key itself
6) You will also need your app id. Usually goes com.company.ProductName
7) You will also need your team id. You can get this from your Membership Details Page (go back to main account page and choose Membership, then look for TeamID)
8) Finally, go to Azure Notification Hubs and configure APNs.
9) Enter the key id that you noted from the key you generated
10) Enter the app id in App Name field (I know this seems weird but trust me). Example com.Company.Product
11) Enter the team id in the App Id field. (Yes, this is a little strange)
12) Finally take the token you copied from the contents of .p8 file and paste that in token field.
13) Select whether its a Sandbox (debug) or Production and you are all set.
If it works without error you are ready to go. If you get an error you probably didn't enter the information correctly for one of the steps. Pay close attention to App Name and App Id because they are misleading. Follow the above instructions closely.
The OP has already figured it out, but in case someone's wondering in the future, there's an official blog post about it: Token-based (HTTP/2) Authentication for APNS with screenshots and property name mapping.
In my Apple developer account I have created a key for use with APNs across all my apps. On creation it allows me to download it once I have finished. After that the 'download' button is greyed-out and I can't download it again. Presumably this is by design.
Can anyone tell me why it doesn't allow a second download like you can for the certificates/profiles?
You can't re-download the IOS Push Notification Auth key. Only public key is retained by Apple and a private key which you retain and protect.
See documentation section Provider-to-APNs Connection Trust.
Token-based provider connection trust: A provider using the
HTTP/2-based API can use JSON web tokens (JWT) to provide validation
credentials for connection with APNs. In this scheme, you provision a
public key to be retained by Apple, and a private key which you retain
and protect.
You can see warning too when you create an Auth Key.
Download and Back Up After downloading your key, it cannot be
re-downloaded as the server copy is removed. If you are not prepared
to download your key at this time, click Done and download it at a
later time. Be sure to save a backup of your key in a secure place.
I just created new key on developer.apple.com, never download it yet, but I'm still unable to download it (download link is disabled).
Any idea how to get p8 cert from developers.apple.com?
I am reading the documentation for both push using TLS certificates and push using authentication tokens
But besides explaining how to configure each, the articles don't really explain the differences or pros/cons of both approaches. Can somebody explain them to me?
Token-based authentication is newer and essentially simplifies APNS authentication.
It is based on a public and private key pair that you can generate on your Apple developer account.
Here are the main reasons why it is simpler:
The same key can be used for development and production apps whereas
different certificates are needed when using certificate-based
authentication.
The same key is used for all your apps referenced in your Apple
developer account. Certificate-based authentication needs one
certificate per app.
The key does not expire. Certificates do expire and need to be renewed every year or so.
A good source of intel is the 2016 WWDC video regarding APNS:
https://developer.apple.com/videos/play/wwdc2016/724/
For 2020, you can only realistically use the "token" method. The older approach is legacy and they will probably axe it.
Your private key will look like this
let keystring = `-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49Aas8d76as8das687asd687asd68as8brwUIWA46qcXis
zCu6dbd4s8d7b5s86gf98ugtr28re7089a7d6tbvpiiui524kyfpq9861eFJP7we
eE7rX4182609457ohgyj3lhgp98wfb698bfg69287f2k4htgwpo876grwo7XDklz
9fdg689d
-----END PRIVATE KEY-----`
your key id will look like this
let keyId = "CTU7XXBPRH"
and your Apple team id is your usual Apple team id, which looks like "YWD3UUTEWD".
Nowadays - thank goodness - it is relatively easy to get the private key and key id from inside your company's account on the Apple developer website.
If you want to test sending a push on an ordinary Node server on AWS, I strongly recommend this outstanding new npm, APNS2 https://www.npmjs.com/package/apns2
let bn = new BasicNotification(deviceToken, 'Hello')
It's about that easy to send pushes.
Tips:
Don't forget the damned "development/sandbox" pushes only work ON AN IPHONE TETHERED TO YOUR MAC/XCODE!
development/sandbox pushes - only for an iPhone tethered to your Mac with a build running from Xcode
production pushes - they do work completely fine with TestFlight builds.
Additionally: don't forget that the so-called development/sandbox pushes are often flakey. Often, they don't arrive for hours, they don't arrive at all, they simply don't work in many regions.
Don't forget that it is TOTALLY OK to use the "production" ones, simply, with a TestFlight app.
So
Make a build
Push it to your TestFlight account. Wait a few minutes as usual until the build comes through,
Install it from TestFlight to your phone
You will now get all the pushes - instantly!
Whereas if you
Make a build
Just build/run to your tethered iPhone
You do NOT get any pushes.
It's true that you can get the so-called "development" pushes, but they are often very flakey.
(To be clear, when using APNS2, if you do want to try "development" pushes, to order "development" pushes, simply use the extra line of code explained at the bottom here https://www.npmjs.com/package/apns2 )
In 2021, Apple's Setting Up a Remote Notification Server state
Both techniques have advantages and disadvantages, so decide which technique is best for your company.
Both Fattie and Ika have said that TLS/ Certificate based authentication is inferior. The Project UI in Firebase also uses language which doesn't explain much IMHO:
Configuration with auth keys is recommended as they are the more current method for sending notifications to iOS
Benefits of Certificate Authentication
Limited access certificates. Each certificate is tied to one application in your developer account and environment (development/ production). This avoids putting all your eggs in one basket, if your token auth key is compromised, a threat actor can push notifications to all your applications.
Simpler Provider application logic. The provider (service which interacts with APNs) (either your own server or a service you use) can just use the TLS certificate, and authenticate, without needing to create JWTs, add headers to the request or find the correct App ID to use.
Benefits of Token Authentication
Simpler setup process: because you only have to download a .p12 and use it your application. Go into developer.apple.com, create a Push Notification Key. However, your application has to renew these tokens every hour. Creating a .p12 for TLS authentication is a little bit more involved.
Does not expire, so you can set it and forget it. Whereas TLS certificates expire in 1 year by default.
The question boils down to security vs. convenience.
Convenience (use token auth): It's convenient to create a key and forget (token auth), and you might use Firebase (or another service) to actually renew the tokens every hour, so you don't have much work to do.
Security (use TLS auth): Do you really want to share the same key between all your applications? What if you want to limit the scope of a Push Notification Service Provider (e.g. Firebase, Ably, Pusher), but don't trust giving them access to all your applications. In reality, you might just have 1 application, so it does not matter.
Does this kind of even security matter, or is it just more convenient to use Token Auth? I would say in most cases, go with Token auth.
I am trying to integrate apple pay with braintree. I have followed up the following instructions to enable apple pay in the brain tree. In the first step, if you click on certificate signing request, it downloads a braintree_app_pay.certSigningRequest file which is used in the apple membership.
When I choose to create payment process certificate, I am getting the following error.
complimenting what #zepp said, you need to specify when creating CRS, and you can that by following the process below
Go to Keychain Access
Click on Certificate Assistance
Click on Request Certificate from Certificate Authority (click for image)
Enter all information and click on "Let me specify key pair Information"checkbox, then click on Continue
Select KeySize to be 256 and Algorithm to be ECC (click for image)
Then click on continue.
Full disclosure: I work at Braintree. If you have any further questions, feel free to contact our Support team.
Make sure you're selecting the Apple Pay Certificate option under Production (even if this is for a Sandbox; see the Braintree Apple Pay configuration docs for details) when choosing the type of certificate to add in the Apple Developer portal. Apple Pay CSRs should be generated with ECC, not RSA.
Here's what the CSR prompt screen should look like. Although you'll be uploading the CSR obtained from Braintree instead of generating one, note Apple's specifications for the key:
Please follow below steps[If use Apple Pay with stripe or any other payment gateway]:
Double click on CSR (Downloaded from Stripe), [It will open Certificate Assistant]
Click on Continue
Select 'Request a certificate from an existing CA', and Continue
In Certificate Information screen, Enter User Email Address, Common Name, Leave CA Email Address empty, Select 'Saved to disk & checked Let me specify key pair information' [Select your specific location and save]
In Key Pair Information screen, select 'ECC' algorithm & select Key size : 256 bits and continue.
Now use this CSR in your payment processing certificate.
This issue is not specific to Apple Pay or Braintree - I ran into the same issue when trying to create a CSR for getting a Safari certificate from Apple.
What's important to know is that you need to select the iCloud keychain before using the Request Certificate from Certificate Authority command. If you don't, another keychain may be active, causing wrong keys to be used.
From Apple Developer Forum
Within the Keychain Access drop down menu, select Keychain Access >
Certificate Assistant > Request a Certificate from a Certificate
Authority.
In the Certificate Information window, enter the following information:
In the User Email Address field, enter your email address.
In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
The CA Email Address field should be left empty.
In the "Request is" group, select the "Saved to disk" option.
Select "Let me specify key pair information".
Click Continue within Keychain Access and select the file location.
Set the Key Pair Information to the following:
Algorithm: ECC
Key Size: 256 bits Click
Continue within Keychain Access to complete the CSR generating process.
I don't get it, because it's said You must use the CSR we provide. Do not create a CSR file yourself on braintree website.
And with this CSR file, it's always failed on apple's upload page.
Edit:
I finally upload success with follow steps of #anjali-jariwala 's answer.
Just in last step, I choose RSA & 2048 as alert requirement.
For me I accidentally chose Yes when asked Will payments associated with this Merchant ID be processed exclusively in China?
Choosing No solved the issue for me
I had the same error. The mistake on my part was choosing the wrong type of certificate while creating it in the Apple developer portal. I used 'Apple Pay Merchant Identity Certificate', but I needed to use 'Apple Pay Payment Processing Certificate', which solved the issue.
I've successfully setup my hub to use an SSL certificate per app, but I'd really like to move to the token-based APNs Auth Key approach. I configured my hub with I believe all the right information from the p8 file. For Key ID, I put in the 10-character value from when key was generated. For App ID, I put in my Team ID. For Token, I put in the private key value from the p8 file.
Has anyone had any success with this? Here's what happens when I attempt to send a test message:
When set to sandbox and I do a test send to my device, I get a failed outcome of "The Push Notification System rejected the request because of an invalid credential".
When set to production and I do a test send to my device, I get a failed outcome of "The Token obtained from the Token Provider is invalid"
For production, I think that is because I'm sending to a local app build outside of TestFlight/app store, so it is expecting the "development" or sandbox aps-environment.
Not sure what other troubleshooting I can do.
TIA,
I figured out what was happening for me.
The App Name field in the Azure Portal is critical to how the message gets delivered. Even though an APNs Auth Key can be used across multiple apps, the notification still must set the topic to be for that particular app. It seems like Azure Notification Hubs take the App Name field and put it into the apns-topic. Once I had that set to my app identifier, it worked as expected.
Also as an FYI, here is the link to the official documentation
https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-http2-token-authentification