token-auth
The token-auth behavior allows the Customer to configure the Edge server to control access to content through use of tokens. The token can be transmitted in the client request in a cookie, header, or query-parameter. Note that this behavior does not provide for generation of tokens, so the Customer is responsible for generating the appropriate token. Refer to the "IaaS Features Handbook" for details.
The setting that can be specified by the params parameter (required) is as follows.
- tokenName (required)
- Token name. This is the name by which the token can be found in the header, cookie, or query parameter. A string that matches the following regex:
^([a-zA-Z][a-zA-Z0-9-_]*)$
- Token name. This is the name by which the token can be found in the header, cookie, or query parameter. A string that matches the following regex:
- tokenDelimiter (optional)
- A single character, but NOT one of the following, which are not allowed: This character is used to separate the individual fields of the token. If not specified, the delimiter is assumed to be "~".
a-z A-Z & 0-9 = & / \ : %
- A single character, but NOT one of the following, which are not allowed: This character is used to separate the individual fields of the token. If not specified, the delimiter is assumed to be "~".
- aclDelimiter (optional)
- A single character but NOT one of the following, which are not allowed: The delimiter to separate the multiple ACL subfields. If not specified, the delimiter is assumed to be "!".
a-z A-Z & 0-9 = & / \ : %
- A single character but NOT one of the following, which are not allowed: The delimiter to separate the multiple ACL subfields. If not specified, the delimiter is assumed to be "!".
- hmacAlgorithm (required)
- The algorithm used for the HMAC (Hash-based Message Authentication Code) field of the token. One of: SHA256, SHA1, MD5. However, SHA256 should be used for security reasons.
- escapeTokenInputs (required)
- Sets whether to perform URL encoding on the path string for the content to verify when calculating the MAC value of the token.
- true: Performs URL encoding
- false: Does not perform URL encoding
- ignoreQueryString (required)
- Sets whether to ignore query parameters that are appended to the content path for calculating the MAC value, if there are any.
- true: The query string portion of the URI should not be included when computing the HMAC of the token.
- false: The query string portion of the URI should be included.
- key (required)
- A common key used for calculating the MAC value. String consisting of an even number of Hex digits not to exceed 64 characters.
- transitionKey (optional)
- A common key used for calculating the MAC value. String consisting of an even number of Hex digits not to exceed 64 characters. Use transitionKey when changing key to a common key. The edge server allows access if the token is successfully verified using key or transitionKey.
{
"rules": [
{
"matches": [
{
"name": "url-wildcard",
"value": "/protected/*"
}
],
"behaviors": [
{
"name": "token-auth",
"params": {
"tokenName": "__mytoken__",
"tokenDelimiter": "~",
"aclDelimiter": "!",
"hmacAlgorithm": "SHA256",
"escapeTokenInputs": false,
"ignoreQueryString": true,
"key": "6e65775365637265744b6579",
"transitionKey": "6f6c645365637265744b6579"
}
}
]
}
]
}