Based on the ietf draft of PrivacyPass:
- A PrivateAccess auth scheme generator to produce a valid challenge token
- A PAT test site that only emits
WWW-Authenticate: PrivateAccessauth schemes to test the flow on Safari16.
Currently PATs are only supported in Safari16 and use the Private Access auth scheme. However there are a few important details for Safari16:
- the
origin_infoparameter is optional but when provided must match theHost:header (not the servername= field in the TLS negotiation) - the
challengeandtoken-keyfields are base64url encoded BUT padding (=) is required - The
token-keyfrom Fastly isn't accessible by accessing/.well-known/token-issuer-directory. A public key is available on their blog post but is subject to change. - all fields (
challenge,token-keyandtoken) need to be quoted if=padding is present - However, macOS13 and iOS16 do not support "quoted" fields and there is no way to disambiguate a future version that might support properly quoted fields from the current OS releases :(
- Cloudflare is making the
token-issuer-directorypublicly accessible because it appears they are rotating their keys (at the time of writing they are on v16) - There isn't a way to distinguish Safari 16 on an older version of macOS or iOS vs Safari 16 on macOS13 or iOS16 which do support PAT
- Challenges are rate limited to 1/60s for an established TLS socket. There appears to be other rate limits
- Safari16 doesn't support RSARSS-PSS oid with parameters in WebCrypto so you can't use the browser to validate.
- You can, however, hack the base64 and convert it to a simple rsaEncoded RSARSS-PSS by taking the last 367 and prepending with "MIIBIjANBgkqhkiG9w0BAQEFA" to get a compatible oid
- On macOS a convenient way to watch token redemption:
log stream --predicate 'subsystem contains "networkserviceproxy"' --debug --info --style compact
More details: