Token Authentication
Overview
Token authentication is a simple and reliable access control strategy that verifies URL access through authentication rules, effectively preventing malicious brushing of site resources. The usage of this function requires the cooperation of the client and EdgeOne. The client is responsible for initiating encrypted URL requests, and EdgeOne is responsible for verifying the legality of the URL based on pre-set rules.
Function principle
The implementation of Token authentication mainly consists of the following two parts:
Client: Initiate the authentication URL request based on the authentication rules (including authentication algorithm, key).
EdgeOne node: Verify the authentication information (md5 string + timestamp) in the authentication URL. When the verification is passed, the access request will be considered as a valid request, and the node will respond normally. If the verification fails, the node will reject the access and directly return 403.
Token authentication URL generation and verification tool
EdgeOne provides a generation tool and verification tool for Token authentication URLs. Developers can use this tool to quickly and accurately generate and verify anti-leeching URLs that meet the requirements.
Directions
1. Log in to the EdgeOne console, click on the site list in the left menu bar, and click on the site to be configured in the site list.
2. On the site details page, click on the rule engine.
3. On the rule engine management page, click Create Rule to enter the editing page of the new rule.
4. On the rule editing page, set the matching conditions that trigger this rule.
5. Click Operation > Select Box, and select Token Authentication in the pop-up operation list. The parameter configuration instructions are as follows:
Parameter | Description |
Method | Currently, 4 authentication signature calculation methods are supported. Please choose the appropriate method based on the access URL format. For details, please refer to the authentication method. |
Primary key | The primary password, consisting of 6-40 uppercase and lowercase English letters or numbers. |
Secondary key | The secondary password, consisting of 6-40 uppercase and lowercase English letters or numbers. |
Authentication parameter | An authentication parameter must be between 1-100 characters and contains letters, numbers and underscores. The parameter value will be authenticated by nodes. |
Validity period | Validity period of the authentication URL (1-630720000 seconds). It determines whether a client request is valid: If the time "timestamp + validity period" is reached, the request is considered expired and a 403 is returned. If the current time does not exceed the "timestamp + valid duration" time, the request is not expired and continues to verify the md5 string. |
Authentication Methods
Method A
Authentication URL format
http://Hostname/Filename?sign=timestamp-rand-uid-md5hash
Field description
Field | Description |
Hostname | Site domain name. |
Path | Path to access the resource, which must start with "/". |
sign | Custom name of the authentication parameter. |
timestamp | A positive decimal integer, indicating the number of seconds elapsed since 00:00:00, January 1, 1970 at UTC. It does not change regardless of your time zone. |
rand | Random string, which contains letters and digits. Length: 0–100. |
uid | User ID (not in use), which defaults to 0. |
md5hash | A fixed-length 32-bit string calculated with the MD5 algorithm: Authentication algorithm: MD5 (Path-timestamp-rand-uid-key). Authentication logic: When receiving a valid request, the node starts comparing this string value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403. |
Method B
Authentication URL format
http://Hostname/timestamp/md5hash/Filename
Field description
Field | Description |
Hostname | Site domain name. |
Path | Path to access the resource, which must start with "/". |
timestamp | Timestamp. Format: YYYYMMDDHHMM (represented in UTC+8), such as 201807301000. |
md5hash | A fixed-length 32-bit string calculated with the MD5 algorithm: Authentication algorithm: MD5 (key + timestamp + Path). Authentication logic: When receiving a valid request, the node starts comparing this string value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403. |
Method C
Authentication URL format
http://Hostname/md5hash/timestamp/Filename
Field description
Field | Description |
Hostname | Site domain name. |
Path | Path to access the resource, which must start with "/". |
timestamp | Unix timestamp. Format: A positive hex integer, indicating the number of seconds elapsed since 00:00:00, January 1, 1970 at UTC. It does not change regardless of your time zone. |
md5hash | A fixed-length 32-bit string calculated with the MD5 algorithm: Authentication algorithm: MD5 (key + Path + timestamp). Note that you should remove the identifier 0x from a hex timestamp before calculation. Authentication logic: When receiving a valid request, the node starts comparing this string value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403. |
Method D
Authentication URL format
http://Hostname/Filename?sign=md5hash&t=timestamp
Field description
Field | Description |
Hostname | Site domain name. |
Path | Path to access the resource, which must start with "/". |
sign | Custom name of the authentication parameter. |
t | Custom name of the timestamp parameter. |
timestamp | Unix timestamp. Format: A positive decimal/hex integer, indicating the number of seconds elapsed since 00:00:00, January 1, 1970 at UTC. It does not change regardless of your time zone. |
md5hash | A fixed-length 32-bit string calculated with the MD5 algorithm: Authentication algorithm: MD5 (key + Path + timestamp). Note that you should remove the identifier 0x from a hex timestamp before calculation. Authentication logic: When receiving a valid request, the node starts comparing this string value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403. |
Configuration Sample
The following configuration sample shows how to authenticate a request for
http://www.example.com/test.jpg
with Method A:
Getting authentication parameters
Path:
/foo.jpg
timestamp:
1647311432
. The timestamp is returned as a 10-digit positive decimal integer indicating that the authentication URL is generated at 10:30:32, March 15, 2022 (UTC+8).rand:
J0ehJ1Gegyia2nD2HstLvw
uid:
0
key:
3C9mxSGzc8ZadmGNzE
md5hash: MD5 (Path-timestamp-rand-uid-key) = MD5 (
/foo.jpg
-1647311432
-J0ehJ1Gegyia2nD2HstLvw
-0
-3C9mxSGzc8ZadmGNzE
) = ecce3150cbdaac83b116d937777ca77fGenerating an authentication URL
http://www.example.com/foo.jpg?sign=1647311432-J0ehJ1Gegyia2nD2HstLvw-0-ecce3150cbdaac83b116d937777ca77f
Authenticating the request
After the request is initiated via an encrypted URL, the node parses the value of the "timestamp" parameter from the URL to determine whether the request is valid:
If the time "timestamp + validity period" is reached, the request is considered expired and a 403 is returned.
If the time "timestamp + validity period" is not reached, the request is considered valid and will be authenticated.
The node compares the calculated
md5hash
value with the md5hash
value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403.Must-knows
1. After Authentication is passed, the node will automatically ignore the Authentication-related parameters in the URL to improve the Cache hit rate and reduce the amount of origin-pull.
2. The origin-pull request URL cannot contain any Chinese characters.