github.com/prebid/prebid-server/v2@v2.18.0/docs/adscertsigner.md

github.com/prebid/prebid-server/v2@v2.18.0/docs/adscertsigner.md (about)

     1  ##Ads Cert
     2  
     3  Ads Cert is an experimental feature to support Ads.Cert 2.0 in Prebid Server.
     4  The ads.cert protocol provides a standard method for distributing public keys so that other ads
     5  ecosystem participants can find them and use them within these key exchange and message
     6  authentication processes. To simplify this process, we use the domain name system (DNS) to
     7  distribute public keys. 
     8  
     9  Detailed Ads.Cert 2.0 specification is published on the [IAB Tech Lab ads.cert website](https://iabtechlab.com/ads-cert).
    10  
    11  
    12  ###General set up
    13  According to [Ads Cert Authenticated Connections protocol](https://iabtechlab.com/wp-content/uploads/2021/09/3-ads-cert-authenticated-connections-pc.pdf) 
    14  the requested domain requires to support Call Sign Internet domain established for Public keys publishing. 
    15  In case origin URL is **bidder.com** then two subdomains has to be configured to return TXT records: 
    16  
    17  `_adscert.bidder.com` - returns record in next format:
    18  `v=adpf a=bidder.com`
    19  
    20  `_delivery._adscert.bidder.com` - returns record that looks like this:
    21  `v=adcrtd k=x25519 h=sha256 p=w8f3160kEklY-nKuxogvn5PsZQLfkWWE0gUq_4JfFm8`
    22  
    23  For testing purposes please use this test domain (subscription will expire in May 2023):
    24  `adscertdelivery.com`. To check data it returns use any online tool ([like this](https://mxtoolbox.com/SuperTool.aspx), select TXT lookup) to read TXT records: 
    25  `_delivery._adscert.adscertdelivery.com` and `_adscert.adscertdelivery.com`
    26  
    27  Or just run cli command:
    28  ```dig txt _delivery._adscert.adscertdelivery.com``` 
    29  
    30  Public key returned in `_delivery._adscert.adscertdelivery.com` was generated using [OSS repository](https://github.com/IABTechLab/adscert).
    31  From the project root compile sources and run `go run . basicinsecurekeygen`. This will return randomly generated private and public keys and the entire value for `_delivery._adscert.adscertdelivery.com` record.
    32  
    33  Private key for public key published under `_delivery._adscert.adscertdelivery.com`:
    34  ```
    35  Randomly generated key pair
    36  Public key:  HweE1-dFJPjHO4C34QXq6myhtMuyi4X0T2rUolVzQig
    37  Private key: U6KBGSEQ5kuMn3s_ohxYbmdmG7Xoos9hR3fJ_dDOi6Q
    38  DNS TXT Entry: "v=adcrtd k=x25519 h=sha256 p=HweE1-dFJPjHO4C34QXq6myhtMuyi4X0T2rUolVzQig"
    39  ```
    40  
    41  If everything configured correctly then `X-Ads-Cert-Auth` header will be sent to bidder. Detailed information about content of the header value can be found in Ads Cert Authenticated Connections protocol specification.
    42  
    43  ###Prebid Server set up
    44  Current Prebid Server implementation supports in-process and remote signing approach.
    45  
    46  ####In-Process signer
    47  To enable AdsCerts next configurations should be specified: 
    48  
    49  Host config, can be set using env variables or yaml config, use proper format: 
    50  ```json
    51  "experiment": {
    52      "adscert": {
    53        "mode": "inprocess",
    54        "inprocess": {
    55          "origin": "http://adscertdelivery.com",
    56          "key": "U6KBGSEQ5kuMn3s_ohxYbmdmG7Xoos9hR3fJ_dDOi6Q",
    57          "domain_check_interval_seconds": 30,
    58          "domain_renewal_interval_seconds": 30
    59        }
    60      }
    61    }
    62  ```
    63  ####Remote signer
    64  To use this approach standalone GRPC server should be available.
    65  One way to do this is to run in locally. For this checkout [AdsCert OSS](https://github.com/IABTechLab/adscert) and navigate to https://github.com/IABTechLab/adscert/blob/main/cmd/server/main.go file.
    66  Modify L17, set "origin" to `adscertdelivery.com`, make sure ports 3000 and 3001 are available and run main function.
    67  In Prebid Server configs set parameters for this server: 
    68  ```json
    69  "experiment": {
    70      "adscert": {
    71        "mode": "remote",
    72        "remote": {
    73          "url": "localhost:3000",
    74          "signing_timeout_ms": 5
    75        }
    76      }
    77    }
    78  ```
    79  
    80  ####General Prebid Server set up
    81  Workaround for bidders that don't have Call Signs support yet: in configs modify bidder URL to `http://adscertdelivery.com/openrtb2?prebid_disabled=1`. In this case this bidder will not return bids, because this endpoint doesn't exist, but it will imitate support of Call Signs. Bidder parameters still should be valid.
    82  
    83  Every bidder by default doesn't support AdsCert. Some bidders cannot handle unsupported headers properly. To enable this feature add next config to {bidder}.yaml file:
    84  `experiment.adsCert.enabled: true`. With this config bidder will receive `X-Ads-Cert-Auth` header even if this is not the only bidder in request. 
    85  
    86  Request extension should have `request.ext.prebid.experiment.adscert.enabled: true`
    87  
    88  ###Issue to fix:
    89  - After server start up the very first request doesn't have `X-Ads-Cert-Auth` header. But it works every time after the first request.
    90  - Bidders that don't support CallSigns don't receive a default `X-Ads-Cert-Auth` header