Private State Token DEMO
Private State Token The Private State Token API is a web platform API that allows propagating a limited amount of signals across sites, using the Privacy Pass protocol as an underlying primitive.
Private State Tokens enable an origin to issue cryptographic tokens to a user it trusts. Tokens are stored by the user's browser, and can later be redeemed in other contexts to confirm that the user is a real human.
For example, authenticity established for a user on a social media or email site can be conveyed to another site such as a news publisher or online store.
Find out more: Private State Tokens | Chrome Developers
This repo provides code to demonstrate Private State Token using BoringSSL to create an issuance service.
You can try out this demo online at private-state-token-demo.glitch.me or download, build and run it yourself.
Install and run this demo
The following instructions are oriented to a Linux environment.
Note that it takes several minutes to download the code, install and build BoringSSL (and cmake if necessary).
Download the code
git clone git@github.com:GoogleChromeLabs/private-state-token-demo.git
All the commands below should be run from the top-level private-state-token-demo directory:
cd private-state-token-demoIf necessary, install cmake
To build this demo you will need the cmake build tool.
Install BoringSSL
Run the install-boringssl.sh script to download and build BoringSSL:
Build executables
Build the executable files required for the demo, using the BoringSSL library and the C files in the src directory as defined in the Makefile:
Install Node dependencies
The demo uses the Express HTTP server and other dependencies defined in package.json.
Run the demo server
Run npm start (defined in server.js) to start the demo server.
Open the demo page
Open demo with Chrome which enabled Private State Token API & Key Commitment for Issuer.
on MacOS:
open -a "Google Chrome" --args \ --additional-private-state-token-key-commitments='{ "https://private-state-token-issuer.glitch.me": { "PrivateStateTokenV1VOPRF": { "protocol_version": "PrivateStateTokenV1VOPRF", "id": 1, "batchsize": 1, "keys": { "1": { "Y": "AAAAAQQ7W5gOubJT3kTpzNGsekT9RZPXgXGrOMB2+QPw/ZzAuLrM3kc8eyHuTc1KmKjH4sh5+ev5GCI4HVVd46o6rWvNvk0iZQtVuUPhT8X54Ajebng8v5zUnpnPuTjGqlc7+MM=", "expiry": "1915356984440000" } } } } }'
on Linux:
google-chrome --args \ --additional-private-state-token-key-commitments='{ "https://private-state-token-issuer.glitch.me": { "PrivateStateTokenV1VOPRF": { "protocol_version": "PrivateStateTokenV1VOPRF", "id": 1, "batchsize": 1, "keys": { "1": { "Y": "AAAAAQQ7W5gOubJT3kTpzNGsekT9RZPXgXGrOMB2+QPw/ZzAuLrM3kc8eyHuTc1KmKjH4sh5+ev5GCI4HVVd46o6rWvNvk0iZQtVuUPhT8X54Ajebng8v5zUnpnPuTjGqlc7+MM=", "expiry": "1915356984440000" } } } } }'
Open localhost:3000 to view the demo page.
By default, this demo runs on port 3000. You can change this by adding PORT environment like below.
API details
Key commitment
GET /.well-known/private-state-token/key-commitment
key-commitment in JSON format used by the browser.
Issue request
GET /private-state-token/issuance
Private State Token issuance request endpoint.
Redemption
GET /private-state-token/redemption
Private State Token redemption request endpoint.
Send SRR
GET /private-state-token/send-srr
Send SRR endpoint. This parses Sec-Redemption-Record header which the client send and send back Redemption Record as a response.
Commands and flags
bin/main is the build result of src/main.c.
There is a flag for each Private State Token operation:
$ main --issue $REQUEST $ main --redeem $REQUEST $ main --key-generate
--issue
Take an issuance request (Sec-Trust-Token HTTP Header) and return an issuance response.
--redeem
Take a redemption request (Sec-Trust-Token HTTP Header) and return a redemption response.
--key-generate
Generate private/public keys for a Private State Token and ED25519 key pair and save them in the ./keys directory.
Find out more
- Private State Token API explainer
- The Chromium Projects: Private State Token API
- Origin Trials Guide for Web Developers
- BoringSSL
This is not a Google product.