Protect restricted content from improper access with Azion Secure Token

Edit on GitHub

Azion Secure Token is a serverless function of Azion’s Edge Computing platform that enables you to process and validate tokens that can be used to control access to restricted or customized content, such as lessons, videos and pictures.

Although access to this content is done through interfaces that require user authentication, it is possible to view these files directly via its URL, which makes it easy to share. With the Edge Function Secure Token implemented, even if a URL is shared, access is only granted once the token has been validated.

Some other advantages of Edge Function Secure Token:

  1. Gives the client flexibility when developing applications;
  2. Token processing through a distributed Edge Nodes infrastructure; and
  3. The option to run business rules on the Edge.

How it works

When implementing Secure Token access controls, the source application and the Function in Edge have different roles:

Originating application: This determines the logic around how the token is generated and also determines how users’ access will be controlled - for example, which authentication method (OAUTH, OpenID Connect, etc.) will be used.

The Token is a hash of the URL, whose content is being requested. It includes an expiry period for the token itself and a secret key (Secret).

See examples of Secure Token generation codes on Github for more information: https://github.com/aziontech/secure_token.

Edge Function Secure Token: this validates the token generated by the application for each request received and sent by the user. If the Token has expired, the Secret is not correct or the Token is not valid for the relevant URL, access to the content will be denied.

It is also possible to combine these with other elements in Edge to define which behavior should be applied (authorize access or forward to the application, usually a login / sign-up page).

Configuring the Secure Token Function

Edge Function Secure token is available from the function library of Azion’s Edge Computing platform and can be accessed through Real-Time Manager (RTM), from the Edge Computing menu.

In order to be run, the function must be instantiated in the Edge Application that you want it to function for. Its activation criteria and behaviors will also need to be defined within the Rules Engine, according to the approach already configured in the originating application (e.g.: proprietary versions OAuth, OpenID, etc., or market, such as Auth0, Keycloak, etc.).

Creating an Instance

Path: Real-Time Manager > Edge Computing > Edge Application > Functions.

From the RTM, go to the Edge Application that will run your function and, within the Functions tab, add another function, this time giving it a distinctive name.

Parameters: select the function for this instance; in this case, choose Secure Token. Note that the function code that appears in the Code field, is just for information. On the Args tab, enter the secret key used to generate the signature of the token - see example below - and save the function.

{
   "secure_token_secret": "mysecretkey"
}

Example of the configuration of JSON Args parameters

Defining the Execution criteria (Rules Engine)

Path: Real-Time Manager > Edge Computing > Edge Application > Rules Engine.

The rules (or Rules Engines) determine the set of conditions that need to be met for Behaviors to be executed. You can either use the Default Rule or create a new rule after setting the validation parameters and the behaviors that the Edge Application will execute.

Defining validation criteria (criteria): choose the variables, comparison operators and strings to create your business rule, as in the following example:

  • If: ${uri} starts with /classes (next: logical operator, variable, comparison operator, string)

Here, the rule is executed if the URL accessed starts with the string “/classes”.

Defining Behaviors (behaviors): add the behaviors you want to be carried out when the rule’s conditions are met. Example:

  • Then: Run Function MySecureToken (: logical operator, action, function)

In this example, if the conditions defined in the rules are satisfied, then the function MySecureToken will be executed..

Error code returned: : if the token received is invalid, the function will return an HTTP status code 403 or 410, depending on the error.

Por fim, salve a sua Edge Application, e esta já estará pronta para executar a nova function.


Didn’t find what you were looking for? Open a support ticket.