Error 400 UnauthorizedRegistration

[dyogomedeiros]

I use this code:

import java.nio.charset.StandardCharsets;
import java.security.Security;

import org.apache.commons.io.IOUtils;
import org.apache.http.HttpResponse;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

import com.google.gson.JsonObject;

import nl.martijndwars.webpush.Notification;
import nl.martijndwars.webpush.PushService;

public class Teste {
	
	public static void main(String[] args) {
		try {
			Security.addProvider(new BouncyCastleProvider());

	        // Send notification!
			sendPushMessage(getPayload());
	        
		} catch (Exception e) {
			e.printStackTrace();
		}
		
	}
	
	private static final int TTL = 255;

	public static void sendPushMessage(byte[] payload) {
		// Figure out if we should use GCM for this notification somehow
		try{
			Notification notification;
			PushService pushService;

			// Create a notification with the endpoint, userPublicKey from the subscription and a custom payload
			notification = new Notification(
					"https://fcm.googleapis.com/fcm/send/d8KX2q4goDM:APA91bH5Boq0076mY4-YdxIOrsD_pzfx6DorrD6FRaksk5sf64A3Z9cySX2JhxwOlql1wq-Bdo0SZvSmBbARZaxTgn4_O9MHbbG_JFY-ZJp0i6WauLwllglA54lBp6NkWB0q6axNHIa3",
					"BPNcSFiObeUbcCg4m5c1AybHv7NSdBE_X5YJ6ZFQfpXWnXQbDnEILz3qPe4Zb-9M9B6Lc_W20uSzVmH1ZyNuWwk=",
					"nJiZotPSQE4P4z75Igq57Q==",
					"Hello, world!"
					);

			// Instantiate the push service, no need to use an API key for Push API
			pushService = new PushService();

			// Send the notification
			HttpResponse httpResponse = pushService.send(notification);

			System.out.println(httpResponse.getStatusLine().getStatusCode());
			System.out.println(IOUtils.toString(httpResponse.getEntity().getContent(), StandardCharsets.UTF_8));
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
	
	private static byte[] getPayload() {
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("title", "Hello");
        jsonObject.addProperty("message", "World");

        return jsonObject.toString().getBytes();
    }
}

And receive this answer:

400
<HTML>
<HEAD>
<TITLE>UnauthorizedRegistration</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>UnauthorizedRegistration</H1>
<H2>Error 400</H2>
</BODY>
</HTML>

[martijndwars]

If you are using VAPID you should configure the public- and private key. The spring-boot-web-push repository contains an example on how to invoke the web push library. Specifically, line 27 of SendController.java configures the PushService with a public key and private key (generated from web-push-codelab.glitch.me).

[johanvs]

@martijndwars I call the send method like you, and I also get an Error 400 UnauthorizedRegistration.

[johanvs]

May be a duplicate of Issue 33.
I use version 3.0.2 and in Chrome I still have the problem.

[martijndwars]

@johanvs can you create a minimal reproducible example (e.g. in a git repository)? If you follow the steps outlined in spring-boot-web-push, does it work?

[johanvs]

Thanks a lot @martijndwars. thanks to your example I understood what was wrong with my code. After tests of changing keys, I did not updated the public key in the javascript file, and it was different from the server one. Now it works :-)

[ihalilaltun]

@martijndwars we are facing the same error while we use GCM key (we can successfully send most of the notifications, but for some we are getting this error) , any thoughts what may cause the problem?

[martijndwars]

Hi @ihalilaltun, things you could try:

• For those subscriptions that return an UnauthorizedRegistration, have you tried re-sending them (i.e. is this a consistent problem or intermittent problem?).
• To determine whether this is a bug in the java-library you could try to send a notification to one of these subscriptions with one of the other implementations, e.g. https://github.com/web-push-libs/web-push.

[ihalilaltun]

Hi @martijndwars, I do not try to re-send them, as indicated in documentation I am deleting these users :/ . I'll try re-sending to these users, but other than this do you have anything else in your mind to check?
By the way, I do not think this is bug in the library.

[leonchaves]

If you are using VAPID you should configure the public- and private key. The spring-boot-web-push repository contains an example on how to invoke the web push library. Specifically, line 27 of SendController.java configures the PushService with a public key and private key (generated from web-push-codelab.glitch.me).

That code uses private key, public key and subject as parameters to create the PushService. When I ran web-push generate-vapid-keys command I only get the keys (angular tutorial available here - see "Generating a VAPID key pair using node web-push"). There is no subject (neither an input from me nor an output from the command). Do you have any suggestion on how to generate a key pair with subject or which subject I pass as a parameter ?

Thanks

[martijndwars]

The subject parameter is part of the VAPID specification, but it's value is not really important. According to the specification:

If the application server wishes to provide contact details, it MAY include a "sub" (Subject) claim in the JWT. The "sub" claim SHOULD include a contact URI for the application server as either a "mailto:" (email) [RFC6068] or an "https:" [RFC2818] URI.

An example subject would be mailto:[email protected]. According to the specification the subject parameter is optional, but in this library the subject parameter is required. Making the subject optional is an open issue).

[leonchaves]

The subject parameter is part of the VAPID specification, but it's value is not really important. According to the specification:

If the application server wishes to provide contact details, it MAY include a "sub" (Subject) claim in the JWT. The "sub" claim SHOULD include a contact URI for the application server as either a "mailto:" (email) [RFC6068] or an "https:" [RFC2818] URI.

An example subject would be mailto:[email protected]. According to the specification the subject parameter is optional, but in this library the subject parameter is required. Making the subject optional is an open issue).

Thanks for your response. But I'm still facing the same unauthorized error. My code is the same as above (original code posted by dyogomedeiros), except that I'm using the PushService constructor that receives public key, private key and subject as strings. Those are the same in the server and in the client. I really don't know what I'm missing. Can you help me, please?

Thanks

[leonchaves]

I was sending the endpoint incorrectly, and that's why I got an unauthorized error. Now I get a 201 - Created result, but I can't see the actual notification in my ubuntu and chrome.

What are the response error code meanings for this service? 201 I believe it is "ok", right?

[leonchaves]

I figured it out: the payload cannot be a string like the one in the above code. It must be a json in a certain format. At least:

{ "notification": {"title": "message title", "body": "message body"} }

Now it is ok!

[martijndwars]

For the web push protocol the payload is just binary data. The The Push Event page describes several ways in which your service worker can parse the data:

• event.data.text() returns the data as string.
• event.data.json() parses the data as JSON string and returns a JavaScript object.
• event.data.blob() returns a blob of data
• event.data.arrayBuffer() returns the data as ArrayBuffer.

[leonchaves]

You're right. We are using an angular service worker that expects json and does not handle well format errors. Thanks for the help!

[dsteen338]

I am running into a similar issue, and am wondering if I can get some help. I got my push notifications to work on Firefox, but not on chrome. I was getting the 400 Unauthorized error like the users above.

I was originally not using VAPID, but wondered if I needed to be. Following the advice of @martijndwars, I added my VAPID private and public key-pair to the backend (based on this comment):

If you are using VAPID you should configure the public- and private key. The spring-boot-web-push repository contains an example on how to invoke the web push library. Specifically, line 27 of SendController.java configures the PushService with a public key and private key (generated from web-push-codelab.glitch.me).

However I am now getting a 403 forbidden instead. Firefox still working as expected. I'm not using GCM, just trying to do it myself. Is there something I'm missing/ doing wrong here? Currently using version 5.0.1.

[dsteen338]

I am running into a similar issue, and am wondering if I can get some help. I got my push notifications to work on Firefox, but not on chrome. I was getting the 400 Unauthorized error like the users above.

I was originally not using VAPID, but wondered if I needed to be. Following the advice of @martijndwars, I added my VAPID private and public key-pair to the backend (based on this comment):

If you are using VAPID you should configure the public- and private key. The spring-boot-web-push repository contains an example on how to invoke the web push library. Specifically, line 27 of SendController.java configures the PushService with a public key and private key (generated from web-push-codelab.glitch.me).

However I am now getting a 403 forbidden instead. Firefox still working as expected. I'm not using GCM, just trying to do it myself. Is there something I'm missing/ doing wrong here? Currently using version 5.0.1.

Scratch that! I got it to work, I just needed to un-register and re-register the service worker after adding the applicationServerKey to the subscription.

My comment now becomes, that I needed to do a lot of googling and investigating to get to this point and get it working. I needed to find this thread specifically and use the example from https://github.com/MartijnDwars/spring-boot-web-push instead of the one from the Usage example in the wiki: https://github.com/web-push-libs/webpush-java/wiki/Usage-Example , I'm wondering if it might be of use to people who end up in a similar situation as me to update the wiki accordingly.

[martijndwars]

I'm glad you got this to work @dsteen338! I'd be happy to discuss ideas that could improve the wiki. PRs that improve the documentation are very welcome.

It seems that most comments on this issue are about problems with using the library and not with the library itself, so I will close the issue now. If someone bumps into a similar issue or wants to discuss improvements to the documentation, please create a new issue.