Token Authentication with JSON Web Tokens (JWT)

[nathany]

What's New in the Apple Push Notification Service
https://developer.apple.com/videos/play/wwdc2016/724/

Starting with a review of the HTTP/2 based provider API, you will learn about an important new feature: Token Based Authentication. Learn to connect to APNs using authentication tokens for sending pushes via the HTTP/2 API, relieving you of the overhead associated with maintaining valid certificates.

TODO:

• Refresh my knowledge of JWT
• Write example that uses a Go JWT library
• Get a signing Key from Apple to test this out
• Review the APIs and dependencies
• Documentation of Certificate and Token authentication options

[nathany]

There are several JWT libraries for Go: https://godoc.org/?q=jwt

@groob suggests https://github.com/dgrijalva/jwt-go

Header:
alg (algorithm) ES256
kid (key identifier used to sign the token)

Claims:
iss (developer key ID)
iat (seconds since epoch)

authorization = bearer thetoken

status 403 reason:
InvalidProviderToken
ExpiredProviderToken (within the last hour, reuse token as long as valid)

APNS will continue to support certificate authentication.

[nathany]

The API needs to support both certificate and token based authentication.

It won't be necessary to load a certificate or configure the HTTP/2 client with Go 1.6.1 or better, instead just create a service:

service := push.NewService(http.DefaultClient, host)

Q: should it be necessary to import http just to specify http.DefaultClient or should nil do the same thing? (then either would work)

Perhaps authorization/bearer is just another push.Header with some other functions or instructions to help build it (depending on whether Buford does the JWT part or not). Also, there are more error reasons to add.

I kind've like the idea of letting the user do the JWT stuff themselves, or at least independent of the push package. Then just provide an example of using it.

It may make sense to move NewClient out of the push package as it is the only thing that requires the x/net/http2 dependency. Possibly into the certificate package?

[nathany]

https://jwt.io/ does some validations against various (Go) libraries.

[nathany]

This could remove the dependency on x/net/http2 which would mean NewClient could remain in the push package for users still using client certificates from Apple.

golang/go#16581

[nathany]

"At WWDC 2016, we announced token-based authentication, a new and simple way for notification providers to authenticate with the Apple Push Notification services (APNs) without the need for app-specific SSL certificates. Token-based authentication reduces the overhead of monitoring and renewing expiring certificates each year. In addition, you can use a single token to send notifications to each one of your apps."

[nathany]

https://go-review.googlesource.com/c/net/+/53250