tencent cloud

Feedback

Token Authentication

Last updated: 2022-08-26 11:06:05

    Overview

    As an access control policy, token authentication verifies access requests according to the configured authentication rules to filter out unauthorized access requests. This effectively prevents your site resources from being maliciously hotlinked and thus protects your business content.

    How does token authentication implement access control?

    When the client initiates a request, an authentication URL needs to be generated based on the access request URL according to authentication rules. The request will be considered authorized, and the node will respond normally only when the authentication information such as timestamp in the authentication URL passes node verification (i.e., successful authentication). If the verification fails, the node will reject the request and directly return 403.

    Directions

    1. Log in to the EdgeOne console. Click Rule Engine on the left sidebar.

      Note:

      The EdgeOne console is now only available to beta users. Contact us to join the beta.

    2. On the rule engine page, select the target site and click to configure token authentication rules as needed.

      Note:

      Currently, you can configure token authentication only if the match condition is All (any request) or Host.

    Parameters:

    Configuration Item Description
    Authentication method Currently, four authentication signature calculation methods are supported. Select an appropriate one based on the access URL format. For more information, see Authentication Methods.
    Primary authentication key A primary authentication key must be between 6-40 characters and contains letters and numbers.
    Secondary authentication key A secondary authentication key must be between 6-40 characters and contains letters and numbers.
    Authentication parameter An authentication parameter must be between 1-100 characters and contains letters, numbers and underscores. The parameter value will be authenticated by nodes.
    Validity period Validity period of the configured authentication URL, which is used to check whether the client access request expires. If the current time exceeds the time of "timestamp + validity period", the request will be considered expired, and 403 will be directly returned. If it hasn't expired, verification will continue.
    Unit: Second.
    Value range: 1–630720000.

    Must-knows

    1. After the authentication is passed, the node will automatically ignore the URL after the authentication parameters and use it as the cache key to improve the cache hit rate and reduce the origin-pull traffic.
    2. After the authentication is passed, if no node cache is hit, origin-pull will be performed, and the actual origin-pull URL will be in the same format as the authentication URL to retain the authentication parameters. You can configure the origin server to ignore authentication parameters or perform secondary verification as needed.
    3. The access URL cannot contain any Chinese characters.

    Authentication Methods

    Method A

    Authentication URL format

    http://Hostname/Filename?sign=timestamp-rand-uid-md5hash
    

    Parameter description

    Field Description
    Hostname Site acceleration domain
    Filename Actually accessed URL in origin-pull, which must start with /
    sign Custom name of the authentication parameter
    timestamp Timestamp carried in the access URL
    Format: Decimal (UNIX timestamp)
    rand Random string, which can contain 0–100 letters and digits
    uid User ID. Default value: 0
    md5hash The string calculated with the MD5 algorithm
    Algorithm: MD5(/Filename-timestamp-rand-uid-custom key)

    If the request hasn't expired, the node will compare this string value with the md5hash value carried in the access request:
  • If they are the same, the authentication will succeed, and the request will be responded to.
  • If they are different, the authentication will fail, and 403 will be returned.
  • Method B

    Authentication URL format

    http://Hostname/timestamp/md5hash/Filename
    

    Parameter description

    Field Description
    Hostname Site acceleration domain
    Filename Actually accessed URL in origin-pull, which must start with /
    timestamp Timestamp carried in the access URL
    Format: YYYYMMDDHHMM
    md5hash The string calculated with the MD5 algorithm
    Algorithm: MD5(custom key + timestamp + /Filename)

    If the request hasn't expired, the node will compare this string value with the md5hash value carried in the access request:
  • If they are the same, the authentication will succeed, and the request will be responded to.
  • If they are different, the authentication will fail, and 403 will be returned.
  • Method C

    Authentication URL format

    http://Hostname/md5hash/timestamp/Filename
    

    Parameter description

    Field Description
    Hostname Site acceleration domain
    Filename Actually accessed URL in origin-pull, which must start with /
    timestamp Timestamp carried in the access URL
    Format: Hexadecimal (UNIX timestamp)
    md5hash The string calculated with the MD5 algorithm
    Algorithm: MD5(custom key + /Filename + timestamp)

    If the request hasn't expired, the node will compare this string value with the md5hash value carried in the access request:
  • If they are the same, the authentication will succeed, and the request will be responded to.
  • If they are different, the authentication will fail, and 403 will be returned.
  • Method D

    Authentication URL format

    http://Hostname/Filename?sign=md5hash&t=timestamp
    

    Parameter description

    Field Description
    Hostname Site acceleration domain
    Filename Actually accessed URL in origin-pull, which must start with /
    sign Custom name of the authentication parameter
    t Custom name of the timestamp parameter
    timestamp Timestamp carried in the access URL
    Format: Decimal (UNIX timestamp); hexadecimal (UNIX Timestamp)
    md5hash The string calculated with the MD5 algorithm
    Algorithm: MD5(custom key + /Filename + timestamp)

    If the request hasn't expired, the node will compare this string value with the md5hash value carried in the access request:
  • If they are the same, the authentication will succeed, and the request will be responded to.
  • If they are different, the authentication will fail, and 403 will be returned.
  • Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support