1 of 20
2 of 20
3 of 20
4 of 20
5 of 20
6 of 20
7 of 20
8 of 20
9 of 20
10 of 20
11 of 20
12 of 20
13 of 20
14 of 20
15 of 20
16 of 20
17 of 20
18 of 20
19 of 20
20 of 20

doc

Protecting restricted content from improper access with Azion Secure Token

Azion Secure Token is a serverless function of Azion Edge Functions that enables you to process and validate tokens that can be used to control access to restricted or customized content. Such as lessons, videos and pictures.

Although access to this content occurs through interfaces that require user authentication, it’s possible to view these files directly via its URL, which makes them easy to share.

With Secure Token implemented, even if a URL is shared, access is only granted once the token has been validated.

Other advantages of Secure Token:

  1. Flexibility when developing applications.
  2. Tokens are processed through a distributed Edge infrastructure.
  3. The option to run business rules on the Edge.

How it works

When implementing Secure Token access controls, the source application and the Function in Edge have different roles:

  • Originating application: this determines the logic around how the token is generated and also determines how users’ access will be controlled. For example, which authentication method (OAUTH, OpenID Connect, etc.) will be used. The Token is a hash of the URL, whose content is being requested. It includes an expiry period for the token itself and a Secret key.

  • Edge Function Secure Token: this validates the token generated by the application for each request received and sent by the user. If the Token has expired, the Secret is not correct, or the Token is not valid for the relevant URL, access to the content will be denied.

It’s also possible to combine these with other elements in Edge to define which behavior should be applied (authorize access or forward to the application, usually a login / sign-up page).

Configuring the Secure Token Function

The Secure Token is an Edge Function available on the Edge Application and can be accessed through Real-Time Manager (RTM).

To run, the Secure Token function must be instantiated in the Edge Application that you want it to function for. Its activation Criteria and Behaviors will also need to be defined within the Rules Engine, according to the approach already configured in the originating application — for example: proprietary versions OAuth, OpenID, etc., or market, such as Auth0, Keycloak, etc.

Creating an Instance

Path: Real-Time Manager (RTM) > Edge Application > Edge Functions.

From the RTM, go to the Edge Application that will run your function and, within the Functions tab, add another function, and give it a distinctive name.

Parameters: select the function for this instance — in this case, Secure Token. Note that the function code that appears in the Code field is just for information. On the Args tab, enter the secret key used to generate the signature of the token and click Save.

Example:

{
   "secure_token_secret": "mysecretkey"
}

Example of the configuration of JSON Args parameters

Defining the execution Criteria (Rules Engine)

Path: Real-Time Manager (RTM) > Edge Application > Rules Engine.

The rules (or Rules Engines) determine the set of conditions that need to be met for Behaviors to be executed. You can either use the Default Rule or create a new rule after setting the validation parameters and the Behaviors that the Edge Application will execute.

To define the validation criteria (Criteria), choose the variables, comparison operators, and strings to create your business rule.

Example:

If: ${uri} starts with /classes

Order: logical operator, variable, comparison operator, string.

The rule is executed if the URL accessed starts with the string “/classes”.

To define the Behaviors, add the Behaviors you want to be carried out when the rule’s conditions are met.

Example:

Then: Run Function MySecureToken

Order: logical operator, action, function.

In this example, if the conditions defined in the rules are satisfied, then the MySecureToken function will be executed.

If the token received is invalid, the function will return an HTTP status code 403 or 410, depending on the error of code.

After configuration, click Save, and your Edge Application will be ready to execute your new function.


Didn’t find what you were looking for? Open a support ticket.