{"id":125796,"date":"2022-06-09T14:00:39","date_gmt":"2022-06-09T14:00:39","guid":{"rendered":"https:\/\/developer.apple.com\/news\/?id=huqjyh7k"},"modified":"2022-06-09T14:00:39","modified_gmt":"2022-06-09T14:00:39","slug":"challenge-private-access-tokens","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2022\/06\/09\/challenge-private-access-tokens\/","title":{"rendered":"Challenge: Private Access Tokens"},"content":{"rendered":"
<\/div>\n

Private Access Tokens are powerful tools that prove when HTTP requests are coming from legitimate devices without disclosing someone’s identity. This proof can help you reduce how often you show CAPTCHAs to people. They are simple to set up and test \u2014 and so we’re inviting you in this challenge to try out Private Access Tokens on your own server.<\/p>\n

Before you begin, be sure to watch “Replace CAPTCHAs with Private Access Tokens” for an overview of the feature.<\/p>\n

\n
\n
<\/a> <\/section>\n
<\/p>\n

Replace CAPTCHAs with Private Access Tokens<\/h4>\n

Don\u2019t be captured by CAPTCHAs! Private Access Tokens are a powerful alternative that help you identify HTTP requests from legitimate devices and people without compromising their identity or personal information. We\u2019ll show you how your app and server can take advantage of this tool to add…<\/p>\n

<\/a> <\/section>\n<\/section>\n<\/section>\n

Begin the challenge<\/h3>\n

It\u2019s easy to add support for Private Access Tokens on your servers: Your server can send an HTTP authentication challenge to request clients to present a token that is signed by a token issuer you trust. You can then validate tokens using that issuer\u2019s public key.<\/p>\n

<\/div>\n

Choose a Token Issuer<\/strong>
To adopt Private Access tokens, you’ll first need to choose a token issuer. Your server must include the token issuer\u2019s hostname and public key in challenges sent to clients. You can test with token issuers from Cloudflare and Fastly when using iOS 16 and macOS Ventura. For each issuer, you can look up the public key using the URL format https:\/\/<issuer name>\/.well-known\/token-issuer-directory<\/code>. You can fetch one of the following URLs from your server to get the issuer information:<\/p>\n

Cloudflare \u2014 https:\/\/demo-pat.issuer.cloudflare.com\/.well-known\/token-issuer-directory Fastly \u2014 https:\/\/demo-issuer.private-access-tokens.fastly.com\/.well-known\/token-issuer-directory<\/code><\/pre>\n
Learn more about Private Access Tokens and Cloudflare<\/a><\/p>\n
Learn more about Private Access Tokens and Fastly<\/a><\/p>\n
Token Challenge and Redemption<\/strong>
\nTo send a challenge, your server needs to post a HTTP 401 response to a request made by the client with a \u201cWWW-Authenticate\u201d header containing a \u201cPrivateToken\u201d challenge. This header contains two attributes: \u201cchallenge\u201d, which contains a TokenChallenge structure in base64url encoding; and \u201ctoken-key\u201d, which contains a token issuer\u2019s public key using base64url encoding.<\/p>\n
WWW-Authenticate: PrivateToken challenge=, token-key=<\/code><\/pre>\n
The TokenChallenge structure contains the type of token, the hostname of the issuer, an optional context to bind to your challenge, and the hostname of your server. iOS 16 and macOS Ventura support token type 2, which uses publicly verifiable RSA Blind Signatures.<\/p>\n
struct { uint16_t token_type; \/\/ 0x0002, in network-byte order uint16_t issuer_name_length; \/\/ Issuer name length, in network-byte order char issuer_name[]; \/\/ Hostname of the token issuer uint8_t redemption_context_length; \/\/ Redemption context length (0 or 32) uint8_t redemption_context[]; \/\/ Redemption context, either 0 or 32 bytes uint16_t origin_info_length; \/\/ Origin info length, in network-byte order char origin_info[]; \/\/ Hostname of your server\n} TokenChallenge; <\/code><\/pre>\n
Token responses come in an \u201cAuthorization\u201d header. This contains the \u201ctoken\u201d attribute, which is a RSA Blind Signature token using base64url encoding. Use the token issuer\u2019s public key to verify this token.<\/p>\n
Authorization: PrivateToken token=<\/code><\/pre>\n
Note: When you send token challenges, don\u2019t block the main page load. Make sure that any clients that don\u2019t support tokens still can access your website!<\/p>\n
Adopt the “PrivateToken” HTTP authentication scheme<\/a><\/p>\n
Issuance Protocol for Publicly Verifiable Tokens<\/a><\/p>\n
Now that you know how to set up Private Access Tokens, explore sending token challenges in your own website. Test your site with clients that support Private Access Tokens \u2014 and ones that don\u2019t! \u2014 and discover how you can make your CAPTCHAs only show for clients that don\u2019t support Private Access Tokens.<\/p>\n
Have questions about adopting this feature? Check out our Q&A on Private Access Tokens on Thursday morning. And don’t forget to share your CAPTCHA-free experiences on Twitter with the hashtag #WWDC22Challenges! <\/p>\n
Explore #WWDC22Challenges on social media<\/a><\/p>\n
Read the WWDC22 Challenges Terms and Conditions<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Private Access Tokens are powerful tools that prove when HTTP requests are coming from legitimate devices without disclosing someone’s identity. This proof can help you reduce how often you show CAPTCHAs to people. They are simple to set up and test \u2014 and so we’re inviting you in this challenge to try out Private Access Tokens […]<\/p>\n","protected":false},"author":2,"featured_media":125797,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[],"class_list":["post-125796","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apple-developer-news"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/125796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=125796"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/125796\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/125797"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=125796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=125796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=125796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}