[Bug] Net::HTTP is returning 403 Forbidden on getting Apple Auth Keys

[yasalmasri]

Bug report:

• Expected Behavior:
  Production Environment when verifying user identity, request to Apple Auth Keys should return 200 response code.
  I tried to hit the same URL using RestClient and got 200 response code with the expected response body.

• Actual Behavior:
  Production Environment when verifying user identity, request to Apple Auth Keys is returning 403 Forbidden.

• Steps to Reproduce:

  1. Deploy a rails app
  2. rails console
  3. Net::HTTP.get(URI.parse('https://appleid.apple.com/auth/keys'))
  4. Response code is 403

• Version of the repo:
  AppleAuth 1.0.0

• Ruby and Rails Version:
  ruby-2.7.1 rails-6.0.4.1

[Gnash-Obial]

Hey, have you solved the issue? I am encountering this issue as well.

[yasalmasri]

@Gnash-Obial
check your config/initializers/apple_auth.rb and make sure you escape the line brake:

config.apple_private_key = ENV.fetch('APPLE_PRIVATE_KEY', 'apple_private_key').gsub("\\n", "\n")

I also override the method by using RestClient to do this request as it does not require authentication:

module AppleAuth
  class UserIdentity
    private

    def apple_key_hash
      certificate = JSON.parse(response)
      matching_key = certificate['keys'].select { |key| key['kid'] == jwt_kid }
      ActiveSupport::HashWithIndifferentAccess.new(matching_key.first)
    end

    def response
      @response ||= RestClient.get(APPLE_KEY_URL).body
    end
  end
end

[langelone]

It's a Server Name Indication problem. Change HTTP client

AppleAuth::UserIdentity.class_eval do

  private
  
  def apple_key_hash
    response = Faraday.get(AppleAuth::UserIdentity::APPLE_KEY_URL).body
    certificate = JSON.parse(response)
    matching_key = certificate['keys'].select { |key| key['kid'] == jwt_kid }
    ActiveSupport::HashWithIndifferentAccess.new(matching_key.first)
  end

end