How to set up a paywall with Azion JWT solution

The JWT edge function is a serverless solution of Azion Marketplace for processing and validating JWT (JSON Web Token) tokens. It can be used to create paywall solutions that allow you to control access to content by subscription.

With this system, the application optimizes operations and reduces the processing load on the client’s infrastructure by identifying directly at the edge whether the person attempting to access a particular page is authorized or not.

Some other benefits of JWT solution are:

  1. Provides application development flexibility to the client.
  2. Processes the tokens in a distributed infrastructure of edge nodes.
  3. Gives the ability for business rules execution at the edge.

In a JWT paywall implementation, the origin application and the function on edge have different roles:

Originating Application: this determines the logic around how the token is generated and when it’ll expire. It also determines how user access is controlled, such as which authentication method is used (OAUTH, OpenID Connect, etc.), the number of access attempts or bytes the customer can use before being prompted to log in, or the amount of time the customer can browse without further authorization (expiration).

The token uses an industry standard for HTTP authentication, the Bearer Authentication Scheme, which stores JSON objects with request authentication information that must be added to the header of every request passing through edge.

Edge Function JWT: validates the application-generated token for each request received and sent by the user. The function follows the business rules defined in the token and can combine these with other elements on the edge to define what behavior should be applied (allowing access or redirecting to the application, usually a logon/sign-in page).

The edge function JWT is available in Azion Marketplace. You can access Azion Matketplace by Azion Console, on the Products menu on the upper-left corner, represented by three horizontal lines.

To be executed, the function must be instantiated in the Edge Application. Its activation criteria and behavior must also be defined within the Rules Engine in accordance with the approach already configured in the source application (for example, proprietary versions of OAuth, OpenID, etc., or market versions such as Auth0, Keycloak, etc.).

To create a JWT function, you can refer to the guide on How to install the JWT solution from Azion Marketplace

Parameters: once you’ve selected the JWT function on you edge application a form with the source code will appear in the Code field. It’s just for information, you can’t change it. On the Args tab, you’ll pass the list of KID pairs (key IDs) and secret keys used to generate the signature of the token and save the function.

The list of pairs is defined in its source application, as in the example below:

"kids": {
"4546D4AA7F62F01A833A7ABE354030E7": "D6CB2342E44EFB6DD628276F36DA2359",
"D6CB2342E44EFB6DD628276F36DA2359": "60BD8ED7A768E8BD6925BEB0A691AADB",
"60BD8ED7A768E8BD6925BEB0A691AADB": "4546D4AA7F62F01A833A7ABE354030E7"

Defining the rule on Rules Engine

Section titled Defining the rule on Rules Engine

The rules on Rules Engine will determine the set of conditions that need to be met for behaviors to be executed. You can either use the Default Rule or create a new rule.

Defining the validation criteria

Section titled Defining the validation criteria

Choose the variables, comparison operators, and strings to create your business rule, as in the following example:

If: ${uri} starts with /news

Logic: logical operator, variable, comparison operator, string.

Here, the rule is executed if a URL starts with the string /news.

Add the behaviors you want to be carried out when the rule’s conditions are met. Example:

Then Run Function and chose JWT (or any other name you gave it).

Logic: logical operator, action, function.

In this example, if the conditions defined in the rules are satisfied, then the JWT function will be executed.

Note: an error code will be returned if the token received is invalid. The function will return an HTTP status code 400 or 401, depending on the error.

Finally, save your edge application and the new function will be ready.