Sending web push to APNs (https://web.push.apple.com) responds with 403 Forbidden

[rsdickerson]

Has anyone got web push working with iOS Safari (w/PWA)?

I posted the following on StackOverflow, but got no response.

We can send web push from java server to PWA on Android/Chrome works fine, but sending to PWA on iPhone/Safari fails with 403 Forbidden.

Works fine on Android phone

• PWA gets installed on Android phone via Chrome
• User clicks Subscribe button in app and grants permission
• App gets Subscription using server's VAPID public key
• PWA sends Subscription (endpoint, keys) to server
• Server sends web push to subscription endpoint (https://fcm.googleapis.com/fcm/send/...)
• FCM responds with 201 Created
• PWA service worker gets the "push" event and shows the notification

Request to fcm.googleapis.com

url:https://fcm.googleapis.com/wp/evZRV...IeBQGGaRfGK
Authorization=vapid t=eyJ0eXAiOi...o2jHfWJGw, k=BHBlZKwyYa...SclQckMDxE
Content-Encoding=aes128gcm
TTL=2419200
Crypto-Key=p256ecds...lQckMDxE=
Content-Type=application/octet-stream
method:POST
protocol version:HTTP/1.1
entity:[Content-Length: 219,Chunked: false]

Response

statusline:HTTP/1.1 201 Created
Location=https://fcm.googleapis.com/0:1705097911549557%0f493ae6f9fd7ecd
X-Content-Type-Options=nosniff
X-Frame-Options=SAMEORIGIN
X-Xss-Protection=0
Date=Fri, 12 Jan 2024 22:18:31 GMT
Content-Length=0
Content-Type=text/html; charset=UTF-8
Alt-Svc=h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
protocol version:HTTP/1.1
entity:[Content-Type: text/html; charset=UTF-8,Content-Length: 0,Chunked: false]

Fails on iPhone

• PWA gets installed on iPhone via Safari
• User clicks Subscribe button in app and grants permission
• App gets Subscription using server's VAPID public key
• PWA sends Subscription (endpoint, keys) to server
• Server sends web push to subscription endpoint (https://web.push.apple.com/...)
• FCM responds with 403 Forbidden
• PWA service worker never gets the "push" event

Request to web.push.apple.com

url:https://web.push.apple.com/QPU8aHza...q44-RonI
Authorization=vapid t=eyJ0eXAiO...DKVX7h5g, k=BHBlZKwy...QckMDxE
Content-Encoding=aes128gcm
TTL=2419200
Crypto-Key=p256ecdsa=BHBlZKwy...clQckMDxE=
Content-Type=application/octet-stream
method:POST
protocol version:HTTP/1.1
entity:[Content-Length: 219,Chunked: false]

Response

statusline:HTTP/1.1 403 Forbidden
content-type=text/plain; charset=UTF-8
apns-id=3597065D-3C81-ED1D-A56C-E5CED97D3BC1
protocol version:HTTP/1.1
entity:org.apache.http.client.entity.DecompressingEntity@6cbc2aee

I'm using the webpush-java library to prepare the web push request. Here's the send code:

JSONObject json = new JSONObject();

json.put("title", "Hello");

json.put("body", "This is a test.");

json.put("sub","mailto:myemail@mycompany.com");

PushService pushService = new PushService(publicKey, privateKey);
Notification notification = new Notification(subscription, json);

HttpPost httppost = pushService.preparePost(notification, Encoding.AES128GCM);

HttpClient httpclient = HttpClients.createDefault();

HttpResponse response = httpclient.execute(httppost);


Any help would be greatly appreciated.

[rsdickerson]

Here's the StackOverflow post for reference.
https://stackoverflow.com/questions/77809621/sending-web-push-to-apns-https-web-push-apple-com-responds-with-403-forbidde

[charleshope]

It seems to me that your usage of the library is non-standard. Why bother creating your own Http objects? Maybe try following the simpler usage in the example code?

[krissvaa]

Seems to be related to this:
#201 (comment)

[don41382]

Thanks for the link @krissvaa to the comment. By adding a subject to the PushService it works 🥳 :

PushService(
    "publicKey",
    "privateKey",
    "mailto:example@mail.com",
)

[rsdickerson]

Dang. My bad. I should have updated you on how I got it working. Yes, adding the subject got it going.

The docs on the webpush-java library don't show this way of instantiating the PushService. I did find it clearly shown on webpush.