Apple App Store Server Notifications [was JWT Token Decode]

[Ralph DiMola]

Apple App Store Server Notifications sends transaction data to your server.
It is especially good for in-app purchase refunds. If you had previously
recorded the transaction ID of the original purchase you can match it up to
the server notification and attach it to a user.

When you use the App Store Server Notifications you receive(in Post Raw)
either standard issue JSON(v1) or JWT(v2). I was using v1. When v2 was
offered the description said you get more events with v2. So I went with v2
and got into the JWT issue.
I was able to get the data out of the JWT but I'm still figuring out the
verification.

JWT is 3 period delimited base 64 encoded items. Header, Payload and
Signature. JWT is not encrypted but by using the header and signature you
can see if the payload has been manipulated or has dropped/scrambled bits
Because the hash will not match.

The payload(base 64 encoded) contains some the previously observed v1 JSON
data. The actual transaction data is in a JSON element as another JWT
encoded string. Again you base 64 decode item 2(period delimited) the
transaction data and viola the remaining v1 JSON transaction elements are
there.

JWT uses Base 64 URL encoding. The "+" and "/" are substituted with "-" and
"_" so A JWT can exist in a URL without any problems.

Just scratching the surface of this giant headache. I now have the both
payloads JSON but have to figure out how to verify the hash. I'm no worse
off than the v1 straight up JSON but "inquiring minds want to know".

Film at 11.

Ralph DiMola
IT Director
Evergreen Information Services
rdimola at evergreeninfo.net