10

I am using the SimpleCalDAV client to get calendar events from iCloud (Apple) using PHP. This client worked great until Apple introduced app-specific-passwords. Since then, for some user accounts I always get "403 Forbidden" as result:

Connect to iCloud server:

Request Header:

OPTIONS / HTTP/1.1
Host: p30-caldav.icloud.com
Authorization: Basic bWFxxxxmZlbGRlckBxxxxxbmNlcHQuY2xxxxxxxxxtY3pyeC15YWZxxxxxxxx3b3o=
User-Agent: cURL based CalDAV client
Accept: */*
Content-type: text/plain

Request Body

HTTP/1.1 200 OK
Server: AppleHttpServer/2f080fc0
Date: Sun, 21 Jan 2018 15:29:33 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Apple-Jingle-Correlation-Key: 3IAOX5DL3ZA5NGIXT57LTVFH3Q
apple-seq: 0
apple-tk: false
Apple-Originating-System: UnknownOriginatingSystem
X-Responding-Instance: caldavj:15701001:st41p57ic-qufb10212001:8501:17H89:22adb24b
Allow: ACL, COPY, DELETE, GET, HEAD, LOCK, MKCOL, MOVE, OPTIONS, PROPFIND, PROPPATCH, PUT, REPORT, UNLOCK
DAV: 1, access-control, calendar-access, calendar-schedule, calendar-auto-schedule, calendar-managed-attachments, calendarserver-sharing, calendarserver-subscribed, calendarserver-home-sync, calendar-audit, caldavserver-supports-telephone
X-Accept-Client-Encoding: gzip
Strict-Transport-Security: max-age=31536000; includeSubDomains
via: icloudedge:fr02p01ic-ztde011002:7401:17HotFix6:Frankfurt
X-Apple-Request-UUID: da00ebf4-6bde-41d6-9917-9f7eb9d4a7dc
access-control-expose-headers: X-Apple-Request-UUID
access-control-expose-headers: Via

Trying to get calendar events:

Request Header:

REPORT /xx76669xx5/calendars/ HTTP/1.1
Host: p30-caldav.icloud.com
Authorization: Basic ZmVsZG1hcnYuc3VwcG9ydEBnbWFpbC5jb20xxxxxxxxxxXVzLWJxbWxxxxxxxxxxxxreg==
User-Agent: cURL based CalDAV client
Accept: */*
Content-type: text/xml
Depth: 1
Content-Length: 367

Request Body:

<?xml version="1.0" encoding="utf-8" ?>
<C:calendar-query xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav">
<D:prop>
<C:calendar-data/>
<D:getetag/>
</D:prop><C:filter>
<C:comp-filter name="VCALENDAR">
<C:comp-filter name="VEVENT">
<C:time-range start="20180115T000000Z" end="20180121T235959Z"/>
</C:comp-filter>
</C:comp-filter>
</C:filter>
</C:calendar-query>

Response Header:

HTTP/1.1 403 Forbidden
Server: AppleHttpServer/2f080fc0
Date: Sun, 21 Jan 2018 15:49:26 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 9
Connection: keep-alive
X-Apple-Jingle-Correlation-Key: QI5L3MI7AJD6ZONONAAGCMBXZ4
apple-seq: 0
apple-tk: false
Apple-Originating-System: UnknownOriginatingSystem
X-Responding-Instance: caldavj:33000101:mr21p30ic-hpaf07173601:8501:17H89:22adb24b
DAV: 1, access-control, calendar-access, calendar-schedule, calendar-auto-schedule, calendar-audit, caldavserver-supports-telephone, calendar-managed-attachments, calendarserver-sharing, calendarserver-subscribed, calendarserver-home-sync
Strict-Transport-Security: max-age=31536000; includeSubDomains
via: icloudedge:fr02p00ic-ztde011131:7401:17HotFix6:Frankfurt
X-Apple-Request-UUID: 823abdb1-1f02-47ec-b9ae-6800613037cf
access-control-expose-headers: X-Apple-Request-UUID
access-control-expose-headers: Via

Response Body:

Forbidden

What I find strange is that I can connect to the server (login) and I get a 200 response, that means I was able to login to iCloud. It seems to be a user account specific problem. It works on my Apple account, but not on the one of my friend. What could be this problem?

Any hint is highly appreciated.

nimrod
  • 5,595
  • 29
  • 85
  • 149
  • "What I find strange is that I can connect to the client and I get a 200 response" - You probably mean "connect to the server"? You don't show the URL, maybe you are hitting an unprotected source. – hnh Jan 22 '18 at 11:57
  • Also, you should probably remove your password from the question ... – hnh Jan 22 '18 at 11:58
  • The 403 says "Content-Length: 9" - what is the content? You omitted that. – hnh Jan 22 '18 at 11:59
  • I added the missing data – nimrod Jan 22 '18 at 12:47
  • OK, first: the OPTIONS works because it doesn't required authentication. What server are you hitting, caldav.icloud.com or a specific partition? Are you doing http or https? – hnh Jan 24 '18 at 09:53
  • https://p30-caldav.icloud.com. It seems like iCloud properly manages the "p30" part. We checked which server is used for the user where auth fails on icloud.com (network tab). – nimrod Jan 24 '18 at 09:56
  • (You retrieve the host which serves the user by asking the server for the CalDAV calendar homeset.) That you get a 403 instead of a 401 kinda suggests to me that the credentials provided are indeed valid. But maybe they are for a different service (they are app specific after all) or you hit the wrong URL. No idea :-) – hnh Jan 24 '18 at 10:05
  • How come it works for 98/100 users? It must be somehow account related in this case... – nimrod Jan 24 '18 at 10:09
  • Of course it could also be a bug in either your code or the specific cluster serving your 2%. Or the 2% just enter the wrong password, which seems reasonably likely :-) – hnh Jan 24 '18 at 10:15
  • The password is not an issue since I generated the app specific password for the user by myself for verification purpose. And regarding clusters... could be, but how would I know the correct cluster for the user? Is it always the same for a user? – nimrod Jan 24 '18 at 10:17
  • I already answered you the question regarding the cluster. The calendar homeset property points you to the right one. But I doubt it is the issue. The host usually does not change, but I think it theoretically can. – hnh Jan 24 '18 at 10:36

1 Answers1

0

According to this:

HTTP status code 403 responses are the result of the web server being configured to deny access to the requested resource by the client.

I expect that it maybe possible that your friend did not allow you to access his private calendar.

He have to share his calendar with you (invite you to view the calendar) before you may access the calendar data with your account.

And according to this documentation, the calendar could not be set as "Public" in the same time.

Finally, you may also double check if the 403 error is not relative to this issue on your friend's side (Too Many iCloud Accounts)

And note also, that if you want use third-party app with your iCloud account, you'll have to enable two-factor authentication and generate individual passwords for each app.

A. STEFANI
  • 6,707
  • 1
  • 23
  • 48
  • I think it's not about sharing when they provide the app-specific-password for their account. My application access their calendar on behalf of them. However, we just tried to make their account public (shared) and it did not change anything. We still receive 403 from iCloud. – nimrod Jan 24 '18 at 09:32
  • Did you try that your friend shared the target calendar to your iCloud email account ? – A. STEFANI Jan 24 '18 at 10:25
  • Yes as I mentioned but that is not how our service works. We do not login with a generic account. We login the user directly to the iCloud servers with their app specific password. – nimrod Jan 24 '18 at 10:31