How to install the Secure Token solution through Azion Marketplace

Azion Secure Token is a serverless solution available at Azion Marketplace.

With the help of the Azion Secure Token solution, you can make token-based, time-limited URLs. The creation and validation of signatures for cookies, authentication headers, and other security measures can be done using these tokens, which can be altered in a variety of ways. Utilizing both HLS and Progressive Download, the solution is frequently used to secure video assets, including those used for live streaming and on-demand content.


To use the Secure Token solution provided by Azion Marketplace, you have to:

  1. Log in to your Real-Time Manager (RTM) account.
  2. On the upper-left corner of the page, select Products menu > Marketplace.
  3. Select the search box and type “secure token” or browse through the cards to find the Secure Token solution.
  4. Once you’ve found the Secure Token card, select it to go to the solution page.
  5. On the solution page, look for the Subscribe for section on the bottom-right corner.
  6. Click the Get It Now button.

You’ll see a message indicating that your solution was successfully installed and is ready to use.


In order to use this solution, you’ll have to generate a token. To do so, follow these steps:

  1. Go to the Azion’s Secure Token GitHub repository.
    • In this repository, you’ll find a brief explanation about how the Secure Token is generated and how to use it.
  2. In the repository, you’ll find two example scripts to generate the tokens, a Python and a PHP script. You can run them locally and generate the token or you can generate these tokens on your own platform with your own code.
  3. Save the generated token, whatever may be the way you generated it through.

Note: using the Python script as an example, you’ll have the following source code:

#!/usr/bin/env python
import base64
import hashlib
secret = 'mysecret'
uri = '/my/uri'
expire = '1470055000'
md5 = hashlib.md5()
md5.update(secret + uri + expire)
token = base64.b64encode(md5.digest()).replace('=','').replace('+','-').replace('/','_')
print 'http://www.example.org%s?st=%s&e=%s' % (uri, token, expire)

Where:

  • secret = a string of your choice that will be used to generate the token.
  • uri = the URI to use with the token.
  • expire = the expiration time of the token.

Setting up the Edge Firewall rule

Section titled Setting up the Edge Firewall rule

To instantiate the Secure Token solution, follow the steps:

  1. In the Products menu, select Edge Firewall in the SECURE section.
  2. Click the Add Rule Set button.
  3. Give an easy to remember name to your new rule.
  4. Select the domains you want to protect with the function.
  5. Turn the Edge Functions switch on.
  6. Click the Save button.

Done. Now you’ve instantiated the rule for your function.

To instantiate the Secure Token solution, while still on the Edge Firewall page, select the Functions tab and follow these steps:

  1. Click the Add Function button.
  2. Give an easy-to-remember name to your instance.
  3. On the dropdown menu, select the Secure Token function.

This action will load the function, showing a form with the function code and, just above it, two tabs: Code and Args. By clicking the Code tab, you’ll be able to navigate through the code but not change it. In the same box, you have another tab: the Args tab. On the Args tab, you’ll pass the secret that you used to generate the token previously.

The Args tab will load a JSON file that looks like this:

{
"secure_token_secret": "thatisthesecret"
}

Where the secure_token_secret will be the secret string you’ve passed on the code when generating the token on the previous step.

Click the Save button and you’re done. Your Edge Firewall Secure Token solution is instantiated.


To finish, you have to set up the Rules Engine to configure the behavior and the criteria to run the function.

Still in the Edge Firewall page, select the Rules Engine tab and follow these steps:

  1. Click the New Rule button.
  2. Give a name to the rule.
  3. Select a criteria to run and catch the domain you want to run the solution on. For example: if Hostname is equal xxxxxxxxxxxx.map.azionedge.net/classes.
  4. Below, select the Run Function behavior to the criteria.
  • Select the adequate Secure Token function according to the name you gave it in the instantiate step.
  1. Click the Save button.

Done. Now the Secure Token solution is running for every request made to the domain you indicated.

Important: Azion Nginx running on edge servers performs two checks on tokens: whether the current time is greater than the expiration time specified in the token, and whether the signature matches the token signature. If the signature is invalid, Nginx returns a 403 error, and if the expiry time is exceeded, it returns a 410 error. Malicious users aren’t able to change token expiry time without breaking signature.


You can find some examples of code snippets at the Azion public GitHub repository for Secure Token solution and you can read a use case for this solution at Azion’s documentation page.


Contributors