Skip to content

feat: implement the public metadata issuance protocol#56

Open
karx1 wants to merge 22 commits into
raphaelrobert:mainfrom
karx1:public-metadata
Open

feat: implement the public metadata issuance protocol#56
karx1 wants to merge 22 commits into
raphaelrobert:mainfrom
karx1:public-metadata

Conversation

@karx1

@karx1 karx1 commented Jun 16, 2026

Copy link
Copy Markdown

This PR implements the issuance protocol for Publicly Verifiable tokens with Public Metadata (token type 0xDA7A).

This is a revival of #25, rebased onto the current main branch and updated to support draft-ietf-privacypass-public-metadata-issuance-03. This PR also addresses the feedback from that PR.

This PR also pins voprf to version 0.6.0-pre.0, as cargo automatically updating to 0.6.0-pre.1 was causing compilation errors on a clean build with no Cargo.lock.

Finally, the functions verify_token and parse_authorization_str/parse_authorization_str_ext are some QoL additions that helped during development, but I'm happy to remove those if needed.

@thibmeu thibmeu left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

two main comments:

  1. there should be cross implementation test, with typescript/go. Typescript provides a JSON that has been generated by the go implementation, might be the simplest to consume
  2. I'm not sure the interface is the right one. I feel that there are way to extend method solely based on the type without introducing TokenProtocol structure

Comment thread src/lib.rs Outdated
Comment thread src/auth/authorize.rs Outdated
Comment thread src/auth/authorize.rs Outdated
Comment thread src/auth/authorize.rs Outdated
Comment thread src/auth/authorize.rs
Comment thread src/public_tokens/request.rs Outdated
Comment thread src/public_tokens/request.rs Outdated
Comment thread src/public_tokens/response.rs Outdated
Comment thread tests/public_tokens.rs
Comment thread tests/public_tokens.rs Outdated
@karx1

karx1 commented Jun 18, 2026

Copy link
Copy Markdown
Author

I've addressed most of the review comments, and now I'm looking to see how to best address the compatibility requirements between the older and newer versions of draft-ietf-privacypass-auth-scheme-extensions, and will report back.

Comment thread src/common/extensions.rs Outdated
Comment thread src/public_tokens/request.rs
Comment thread src/generic_tokens/request.rs Outdated
Comment thread src/public_tokens/server.rs
@karx1

karx1 commented Jun 25, 2026

Copy link
Copy Markdown
Author

I've decided to drop the backwards compatibility handling and conform strictly to draft-ietf-privacypass-auth-scheme-extensions-03. I'll remove those changes now, but I'm happy to revisit putting it behind a cargo feature if you'd prefer to keep that behavior available.

@karx1

karx1 commented Jun 25, 2026

Copy link
Copy Markdown
Author

Also, RFC 9577 §2.2.2 says the token field might be a quoted-string, so I'm implementing changes accordingly.

@karx1 karx1 requested a review from thibmeu June 30, 2026 20:08

@thibmeu thibmeu left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few more comments. the PR is starting to look better. some questions that remains unanswered:

  1. should we implement edtension/challenge negotiation. this is only partial atm
  2. generic batch is ok to be excluded. needs a clear documentation
  3. i feel that having a method for origin/issuer to validate the unknown metadata (given there will only be a few standardsied and the logic may be complex) seems important, or clearly documented and explain how to validate manually

Comment thread src/public_tokens/request.rs
Comment thread src/common/extensions.rs Outdated
Comment thread src/auth/authorize.rs Outdated
Comment thread src/public_tokens/request.rs
Comment thread src/public_tokens/request.rs
Comment thread README.md Outdated

@thibmeu thibmeu left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only one comment left about required extensions. overall good for me. thanks for the back and forth @karx1

@raphaelrobert remains authoritative for a review, approval, and eventual merge though

Comment thread src/common/extensions.rs Outdated
thibmeu and others added 2 commits July 8, 2026 10:58
* Add Privacy Pass expiration extension helper

Register the Expiration extension type and add typed encoding/decoding helpers for draft-ietf-privacypass-expiration-extension-00. This keeps token formats and redemption policy unchanged; callers still decide how to choose and enforce timestamps.

Also move tests off 0x0001 as a dummy extension type and cover the draft example.

* Rename expiration error variants
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants