Gunther Kochmann

Ever wondered how to protect your assets with token auth (=EdgeAuth 2.0)?

Blog Post created by Gunther Kochmann Employee on Feb 26, 2016

If so, then this might help you.

 

First of all the basics:

  • the token as such must be created by you / within your infrastructure
  • for doing so, Akamai provides a piece of code that is availablle in various "languages" like Python, Java, PHP, C++, Perl, Ruby, erlang, go
  • the token may be sent along with the object request by means of cookie, request header or query string
  • the Akamai Edge server will then be able to evaluate the validity by creating the token based on the same parameters, where at least one of them is a (pre-)shared value between Akamai and you
  • if both tokens (the one created by you and the one created by Edge server) match, content will be delivered from cache or fetched from whatever is the origin for this object (might be NetStorage)
  • the benefit is that Akamai does not have to send a request to an auth server, wait for the response and can only then deliver the object
  • large objects which must be access restricted do not have to be delivered through your origin, but may stay on NetStorage

 

One example request flow:

  • user logs in to a portal / restricted access site
  • user clicks a link to download an object for which access restrictions apply
  • now that link URL for the object to download must be custom for that particular user, e.g. contain a query string with the auth token for this URL
  • the user's browser requests that URL, which is served by Akamai
  • Akamai verifies the token in the query string
  • if valid, deliver content from cache or fetch it from its repository (like NetStorage) and then deliver
  • if invalid, send a 403 DENIED

 

How to setup:

    1. Akamai configuration

    • use the behavior "Auth Token 2.0 Verification"
    • nest it under a set of criteria, like path, hostname, file suffix, etc. (so it doesn't apply to all requests typically)

 

            Example - where the object is then fetched from NetStorage:

 

token-auth.GIF

 

    2. Origin side (example)

    • fetch EdgeAuth code from LUNA Control Center at Support -> User and Developer Guides -> SecureHD Policy Editor -> Token Generator Code Component (https://control.akamai.com/dl/customers/SPE/EdgeAuth-latest.zip)
    • decide which implementation you would like to work with (for the sake of this example I have picked Python)
    • install code and libraries on your system
    • for an explanation of the mandatory and optional fields required refer to the README file which is part of the ZIP archive
    • in my example I can create a token with the following command:

 

[let's assume an encryption key of 829bce29ce6b91a8c1bf355e and allowing access with the same token to all objects within this path]

EdgeAuth-2.0.1/python/AkamaiToken.py --algo=sha256 --key=829bce29ce6b91a8c1bf355e --window=3600 --acl=/objects_to_protect_by_EdgeAuth_token/*

 

result:

st=1456500714~exp=1456504314~acl=/objects_to_protect_by_EdgeAuth_token/*~hmac=cb2cdb4c1383e22f1a395fb633ed5fdcf2f9b3b16868cc3eb797f2620b647d56

 

In case you would not want to grant access to all objects within the same path as in the example above, you may specify the path and filename without a wildcard.

 

E.g.

EdgeAuth-2.0.1/python/AkamaiToken.py --algo=sha256 --key=829bce29ce6b91a8c1bf355e --window=3600 --acl=/objects_to_protect_by_EdgeAuth_token/file.zip


    3. Client side (example)

    • in order to test this token, simply add the following Cookie to your object request [cookie name depends on the Token Name in the Auth Token Verification 2.0 behavior:


Cookie: __token__=st=1456500714~exp=1456504314~acl=/objects_to_protect_by_EdgeAuth_token/*~hmac=cb2cdb4c1383e22f1a395fb633ed5fdcf2f9b3b16868cc3eb797f2620b647d56

 

Alternatives:

  • use query strings to send the token (depends on settings in Auth Token Verification 2.0 behavior)
  • determine 'end time' rather than 'window' of token validity
  • toggle advanced options in Property Manager behavior for Edge Auth to get further parameter options (which need to considered/provided in the token generator of course):

 

advanced.GIF

 

PS: Please note that your contract / product must be ready to give access to this feature. For questions turn to your Client Services Manager or Account Executive.

Outcomes