Paywall with Edge Function JWT

Edit on GitHub

Edge Function JWT is a serverless function of Azion’s Edge Computing platform for processing and validating JWT (JSON Web Token) tokens that can be used to create paywall solutions, allowing you to control access to content by subscription.

Using this system, the application identifies whether the individual trying to access a certain page has been authorized or not, directly on the Edge, which optimizes the operation and reduces the processing load on the client’s infrastructure.

Some other advantages of Edge Function JWT:

  1. Gives the client flexibility when developing applications;
  2. Token processing through a distributed Edge Nodes infrastructure; and
  3. The option to run business rules on the Edge.

How it works

When implementing a Paywall with JWT, the origin application and the Function in Edge have different roles:

Originating application: This determines the logic around how the token is generated and when it expires. It also determines how users’ access will be controlled - for example, which authentication method (OAUTH, OpenID Connect, etc.) will be used, the number of access attempts or bytes that the customer can use before login is requested or the amount of browsing time without further authorization (expiration).

The token uses an industry standard for HTTP authentication, the bearer authentication scheme, which stores JSON objects with information that allows a request to be authenticated, which must be added to the header of every request that passes through Edge.

Edge Function JWT: this validates the token generated by the application for each request received and sent by the user. The function follows the business rules defined in the token, and can combine these with other elements in Edge to define which behavior should be applied (authorize access or forward to the application, usually a login / sign-up page).

Configuring the JWT function.

Edge Function JWT is available from the function library of Azion’s Edge Computing platform and can be accessed through Real-Time Manager (RTM), from the Libraries menu.

In order to be run, the function must be instantiated in the Edge Application that you want it to function for. Its activation criteria and behaviors will also need to be defined within the Rules Engine according to the approach already configured in the originating application (e.g.: proprietary versions OAuth, OpenID, etc., or market ones, such as Auth0, Keycloak, etc.).

Creating an Instance

Path: Real-Time Manager > Edge Services > Edge Applications > Functions.

From the RTM, go to the Edge Application that will run your function and, within the Functions tab, add another function, this time giving it a distinctive name.

Parameters: select the function for this instance; in this case, choose JWT. Note that the function code that appears in the Code field, is just for information. On the Args tab, enter the list of KID pairs (key IDs) and secret keys used to generate the signature of the token - see example below - and save the function. The list of pairs is defined in its source application.

  “kids”: {
    “4546D4AA7F62F01A833A7ABE354030E7": “D6CB2342E44EFB6DD628276F36DA2359”,
    “D6CB2342E44EFB6DD628276F36DA2359": “60BD8ED7A768E8BD6925BEB0A691AADB”,
    “60BD8ED7A768E8BD6925BEB0A691AADB”: “4546D4AA7F62F01A833A7ABE354030E7”

Example of the configuration of JSON Args parameters

Defining the Execution criteria (Rules Engine)

Path: Real-Time Manager > Edge Services > Edge Applications > Rules Engine.

The rules (or Rules Engines) determine the set of conditions that need to be met for Behaviors to be executed. You can either use the Default Rule or create a new rule after setting the validation parameters and the behaviors that the Edge Application will execute.

Defining validation criteria (criteria): choose the variables, comparison operators and strings to create your business rule, as in the following example:

  • If: ${uri} starts with /news (next: logical operator, variable, comparison operator, string)

Here, the rule is executed if a URL starts with the string “/news”.

Defining Behaviors (behaviors): add the behaviors you want to be carried out when the rule’s conditions are met. Example:

  • Then: Run Function MyJwtFunction (next: logical operator, action, function)

In this example, if the conditions defined in the rules are satisfied, then the function MyJwtFunction will be executed.

Error code returned: if the token received is invalid, the function will return an HTTP status code 400 or 401, depending on the error.

Finally, save your Edge Application and the new function will be ready.

Didn’t find what you were looking for? Open a support ticket.