Skip to main content

Token Authentication

CDN provides restriction access in distribution content for the user. This is achieved by enabling token authentication in the specified distribution.

token

In this case to access distribution content a token is required.

Token generation#

When the restriction mode is enabled then a secret key is displayed, this key will be used to generate the token.

secret key

Next what is required for token generation is:

  • Determining a lifetime - time for which the token is valid;
  • Determining a path - the path of the content in your distribution that you want to access;
  • IP address - different users have different ip addresses and thus can’t use the same token to access the content;
  • User Agent - characteristic string that identifies the application with which the user makes the request.

You generate the string to sign by concatenating the path, expiration time, ip address and user agent. HMAC(Hash-based message authentication code) is a cryptographic technique which uses a secret key as a parameter and computes the hash of the specified string. Then the token is generated by concatenating the expiration time and the hashed string.

The code of token generation in different programming languages is shown below:

C#

using System;using System.Security.Cryptography;                    public class Program{    public static void Main()    {        byte[] key = Convert.FromBase64String("mlPjB8/wvUCyxiW9DFSx/w==");
        Int32 lifetime = 1209600;
        string path = "/test.jpg";
        Int32 expiration = (Int32)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds;        expiration += lifetime;        Console.WriteLine(expiration);
        string string_to_sign = path + expiration.ToString() + "185.67.177.203PostmanRuntime/7.28.4";
        var encoding = new System.Text.UTF8Encoding();        byte[] messageBytes = encoding.GetBytes(string_to_sign);        using (var hmacsha1 = new HMACSHA1(key))        {            byte[] hashmessage = hmacsha1.ComputeHash(messageBytes);            Console.WriteLine(expiration + "_" + BitConverter.ToString(hashmessage).Replace("-", string.Empty).ToLower());        }    }}

Python

import hmacfrom hashlib import sha1import timeimport base64
key = base64.b64decode("mlPjB8/wvUCyxiW9DFSx/w==")
token_lifetime = 1209600 # 2 weeks
path = "/test.jpg"
expiration = int(time.time()) + token_lifetime
ipAddress = "185.67.177.203"
userAgent = "PostmanRuntime/7.28.4"
string_to_sign = "{0}{1}{2}{3}".format(path,expiration,ipAddress,userAgent)
digest = hmac.new(key, string_to_sign.encode('utf-8'), sha1)
signature = digest.hexdigest() 
token = "{0}_{1}".format(expiration, signature)
print("Token:   %s" % token)

The token must be appended to the request headers in order to access the content, otherwise the request will not be authorized. Requests will also not be authorized if the token has expired.

E.g. We are using the FLPQBFIBZA distribution and its secret key is mlPjB8/wvUCyxiW9DFSx/w==.
Postman - is the application we use to make the requests.
Our request will be to access an image (test.jpg) in this distribution.

Request response without appending the token:

without token

Request response when appending the token:

with token