tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Cloud EdgeOne
    Documentation
    Download PDF

    Token Authentication

    Last updated: 2024-02-26 10:00:26
    Download PDF

      Overview

      Token authentication is a simple and reliable access control strategy that verifies URL access through authentication rules, effectively preventing malicious brushing of site resources. The usage of this function requires the cooperation of the client and EdgeOne. The client is responsible for initiating encrypted URL requests, and EdgeOne is responsible for verifying the legality of the URL based on pre-set rules.

      Function principle

      The implementation of Token authentication mainly consists of the following two parts:
      Client: Initiate the authentication URL request based on the authentication rules (including authentication algorithm, key).
      EdgeOne node: Verify the authentication information (md5 string + timestamp) in the authentication URL. When the verification is passed, the access request will be considered as a valid request, and the node will respond normally. If the verification fails, the node will reject the access and directly return 403.

      Token authentication URL generation and verification tool

      EdgeOne provides a generation tool and verification tool for Token authentication URLs. Developers can use this tool to quickly and accurately generate and verify anti-leeching URLs that meet the requirements.

      Directions

      1. Log in to the EdgeOne console, click on the site list in the left menu bar, and click on the site to be configured in the site list.
      2. On the site details page, click on the rule engine.
      3. On the rule engine management page, click Create Rule to enter the editing page of the new rule.
      4. On the rule editing page, set the matching conditions that trigger this rule.
      5. Click Operation > Select Box, and select Token Authentication in the pop-up operation list. The parameter configuration instructions are as follows:
      Parameter
      Description
      Method
      Currently, 4 authentication signature calculation methods are supported. Please choose the appropriate method based on the access URL format. For details, please refer to the authentication method.
      Primary key
      The primary password, consisting of 6-40 uppercase and lowercase English letters or numbers.
      Secondary key
      The secondary password, consisting of 6-40 uppercase and lowercase English letters or numbers.
      Authentication parameter
      An authentication parameter must be between 1-100 characters and contains letters, numbers and underscores. The parameter value will be authenticated by nodes.
      Validity period
      Validity period of the authentication URL (1-630720000 seconds). It determines whether a client request is valid:
      
      If the time "timestamp + validity period" is reached, the request is considered expired and a 403 is returned.
      If the current time does not exceed the "timestamp + valid duration" time, the request is not expired and continues to verify the md5 string.

      Authentication Methods

      Method A

      Authentication URL format

      http://Hostname/Filename?sign=timestamp-rand-uid-md5hash

      Field description

      Field
      Description
      Hostname
      Site domain name.
      Path
      Path to access the resource, which must start with "/".
      sign
      Custom name of the authentication parameter.
      timestamp
      A positive decimal integer, indicating the number of seconds elapsed since 00:00:00, January 1, 1970 at UTC. It does not change regardless of your time zone.
      rand
      Random string, which contains letters and digits. Length: 0–100.
      uid
      User ID (not in use), which defaults to 0.
      md5hash
      A fixed-length 32-bit string calculated with the MD5 algorithm:
      Authentication algorithm: MD5 (Path-timestamp-rand-uid-key).
      Authentication logic: When receiving a valid request, the node starts comparing this string value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403.

      Method B

      Authentication URL format

      http://Hostname/timestamp/md5hash/Filename
      

      Field description

      Field
      Description
      Hostname
      Site domain name.
      Path
      Path to access the resource, which must start with "/".
      timestamp
      Timestamp.
      Format: YYYYMMDDHHMM (represented in UTC+8), such as 201807301000.
      md5hash
      A fixed-length 32-bit string calculated with the MD5 algorithm:
      Authentication algorithm: MD5 (key + timestamp + Path).
      Authentication logic: When receiving a valid request, the node starts comparing this string value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403.

      Method C

      Authentication URL format
      http://Hostname/md5hash/timestamp/Filename

      Field description

      Field
      Description
      Hostname
      Site domain name.
      Path
      Path to access the resource, which must start with "/".
      timestamp
      Unix timestamp.
      Format: A positive hex integer, indicating the number of seconds elapsed since 00:00:00, January 1, 1970 at UTC. It does not change regardless of your time zone.
      md5hash
      A fixed-length 32-bit string calculated with the MD5 algorithm:
      Authentication algorithm: MD5 (key + Path + timestamp). Note that you should remove the identifier 0x from a hex timestamp before calculation.
      Authentication logic: When receiving a valid request, the node starts comparing this string value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403.

      Method D

      Authentication URL format

      http://Hostname/Filename?sign=md5hash&t=timestamp

      Field description

      Field
      Description
      Hostname
      Site domain name.
      Path
      Path to access the resource, which must start with "/".
      sign
      Custom name of the authentication parameter.
      t
      Custom name of the timestamp parameter.
      timestamp
      Unix timestamp.
      Format: A positive decimal/hex integer, indicating the number of seconds elapsed since 00:00:00, January 1, 1970 at UTC. It does not change regardless of your time zone.
      md5hash
      A fixed-length 32-bit string calculated with the MD5 algorithm:
      Authentication algorithm: MD5 (key + Path + timestamp). Note that you should remove the identifier 0x from a hex timestamp before calculation.
      Authentication logic: When receiving a valid request, the node starts comparing this string value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403.

      Configuration Sample

      The following configuration sample shows how to authenticate a request for http://www.example.com/test.jpg with Method A:
      

      Getting authentication parameters

      Path: /foo.jpg
      timestamp: 1647311432. The timestamp is returned as a 10-digit positive decimal integer indicating that the authentication URL is generated at 10:30:32, March 15, 2022 (UTC+8).
      rand: J0ehJ1Gegyia2nD2HstLvw
      uid:0
      key: 3C9mxSGzc8ZadmGNzE
      md5hash: MD5 (Path-timestamp-rand-uid-key) = MD5 (/foo.jpg-1647311432-J0ehJ1Gegyia2nD2HstLvw-0-3C9mxSGzc8ZadmGNzE) = ecce3150cbdaac83b116d937777ca77f

      Generating an authentication URL

      http://www.example.com/foo.jpg?sign=1647311432-J0ehJ1Gegyia2nD2HstLvw-0-ecce3150cbdaac83b116d937777ca77f

      Authenticating the request

      After the request is initiated via an encrypted URL, the node parses the value of the "timestamp" parameter from the URL to determine whether the request is valid:
      If the time "timestamp + validity period" is reached, the request is considered expired and a 403 is returned.
      If the time "timestamp + validity period" is not reached, the request is considered valid and will be authenticated.
      The node compares the calculated md5hash value with the md5hash value in the request URL. If they match, the node will respond to the request after it is authenticated, otherwise it returns a 403.

      Must-knows

      1. After Authentication is passed, the node will automatically ignore the Authentication-related parameters in the URL to improve the Cache hit rate and reduce the amount of origin-pull.
      2. The origin-pull request URL cannot contain any Chinese characters.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy