Oblivious HTTP Implementation for OkHttp

This project is a set of OkHttp Interceptors that brings Oblivious HTTP support to Android apps with OkHttp client.
Requests to an OHTTP Gateway are serialized into Binary HTTP format by ok-bhttp and encapsulated/decapsulated by ok-ohttp-encapsulator.
It is compatible with the OHTTP relay and corresponding server implementations from Cloudflare.

Download

Declare Gradle dependencies

dependencies {
    implementation("com.github.flohealth:ok-ohttp-plugin:0.1.0")
}

Download artifacts

You can download the following artifacts:

• ok-bhttp: GitHub Releases
  
• ok-ohttp-encapsulator: GitHub Releases
  
• ok-ohttp-plugin: GitHub Releases
  

Usage

Setup OkHttp client

import okhttp3.cache

val configRequestsCache: Cache

// provide your IsOhttpEnabledProvider implementation if you need to enable/disable OHTTP in runtime
val isOhttpEnabled: IsOhttpEnabledProvider = IsOhttpEnabledProvider { true }

val ohttpConfig = OhttpConfig(
     relayUrl = "https://example.com/ohttp-relay".toHttpUrl(), // relay server
     userAgent = "Minimal User Agent", // user agent for OHTTP requests to the relay server
     configServerConfig = OhttpConfig.ConfigServerConfig(
         configUrl = "https://example.com/ohttp-config".toHttpUrl(), // crypto config
         configCache = configRequestsCache,
     ),
)

val okHttpClient: OkHttpClient = OkHttpClient.Builder()
     .addInterceptor(myInterceptor) // add all your interceptors
     .addNetworkInterceptor(myNetworkInterceptor) // add all your network interceptors
     .setupOhttp( // setup OHTTP as the final step
         config=ohttpConfig,
         isOhttpEnabled = isOhttpEnabled,
     )

// use your OkHttpClient as usual

The IsOhttpEnabledProvider is called on every request; keep in mind the potential performance penalty during implementation.

Call setupOhttp after adding any other interceptors. Any Network Interceptor added after setupOhttp will modify not your API call request but the request to OHTTP Relay. This could bring unexpected behavior in work with OHTTP Relay and expose unwanted information about the user.

If you build several OkHttp clients, we suggest creating a single instance of OhttpConfigurator and configuring all your OkHttp clients with it. This will reduce the amount of OHTTP CryptoConfig requests.

By the nature of Oblivious HTTP, you can't inspect OHTTP traffic using sniffers. For debugging purposes, you can still use logs to see the requests & response content ( e.g. OkHttp Logging Interceptor)

Though all OHTTP requests are transformed into POST requests, user requests are still cached by the OkHttp cache.

Limitations

As OHTTP Plugin significantly changes the client-server interaction and protocol, we can't prove that every feature of the HTTP protocol & OkHttp client will correctly work with OHTTP enabled. Please perform proper testing for your cases before use.

All limitations of ok-bhttp and ok-ohttp-encapsulator are applied .

License

Released under MIT License.