Lumen help
CDN services: Embedding a token in a URL
When you publish a resource that is to have the URL encoded with desired authentication tokens, including optional expiration criteria, you insert them in the query string. The URL should be encrypted into an HMAC‑SHA1 hash using a shared “secret” for authentication at a Lumen CDN edge server. This authentication token is then appended to the URL and published for use. When a subsequent user request arrives at a content distributor, the arriving URL, minus the authentication token and any other designated parameters, is re‑hashed using the shared secret and the result compared to the authentication token. If they do not match, the request is rejected with the designated error status code. If they match, the expiration criteria are evaluated and the request fulfilled or denied accordingly.
If the integrity of the URL is successfully validated, the CDN processes validity time tokens (start time and end time) to determine whether the request should be serviced or denied. The times are specified as not‑valid‑before and/or not‑valid‑after.
The code samples below demonstrate how to add the hash token to a URL. It is not intended to be used as‑is, but rather to generate example URLs and to serve as an example to guide your own implementation.
Learn more about token‑authentication definitions in Media portal
#!/usr/bin/perl
# Sample code Copyright (C) 2021, Lumen Technologies.
#
# This sample requires perl modules freely available from CPAN.
# To obtain the needed modules, use e.g. "cpan -i Digest::HMAC"
## Parameters you would normally obtain from your configuration
$gen = "3"; # secret key generation number (0-9)
$key = "There's no place like home!"; # secret key
## Process an abspath URI
$uri = "/path/to/resource?sessionid=12345"; # the URI to authenticate
print "Orig URI:
$uri\n";
$hash = ComputeHash($gen, $key, $uri, \$error); # Compute the hash code
$uri .= "&misc=abcde"; # Append a non-authenticated element
$uri .= "&hash=$hash"; # Append the hash code
print $hash ? "New URI: $uri\n" : "$error\n";
print "\n";
# Import the HMAC-SHA1 library
use Digest::HMAC_SHA1 qw(hmac_sha1 hmac_sha1_hex);
# ComputeHash() - compute the hash authenticator to append to a URI
#
# Parameters:
# IN $gen: A number 0-9 identifying the key generation number
# IN $key: A character string key between 20 and 64 bytes long
# IN $uri: The URI, less the hash code, to be authenticated
# OUT $rerr: Reference to scalar to return any error message
#
# Returns the hash string value if successful, otherwise returns undef
# and an error string via $$rerr
sub ComputeHash
{
my ($gen, $key, $uri, $rerr) = @_;
# Most of this error checking would not be necessary in a production
# environment - it is provided for illustration of usage only.
$$rerr = "ERROR: Invalid GEN value", return undef
unless $gen =~ /^\d$/;
$$rerr = "ERROR: Invalid key length", return undef
unless length($key) >= 20 && length($key) <= 64;
$$rerr = "ERROR: No URI provided", return undef
unless $uri;
# compute the hash and check to be sure it worked
my $hmac = hmac_sha1_hex($uri, $key);
$$rerr = "ERROR: Failed to compute hash!", return undef
unless defined($hmac);
return sprintf "%1.1s%20.20s", $gen, $hmac;
}
#!/usr/bin/php
<?php
## Parameters you would normally obtain from your configuration
$gen = "3"; # secret key generation number (0-9)
$key = "There's no place like home!"; # secret key
## Process an abspath URI
$uri = "/path/to/resource?sessionid=12345"; # the URI to authenticate
echo "Orig URI: $uri\n";
$hash = ComputeHash($gen, $key, $uri, $error); # Compute the hash code
$uri .= "&misc=abcde"; # Append a non-authenticated element
$uri .= "&hash=$hash"; # Append the hash code
echo strlen($hash) ? "New URI: $uri\n" : "$error\n";
echo "\n";
# ComputeHash() - compute the hash authenticator to append to a URI
#
# Parameters:
# IN $gen: A number 0-9 identifying the key generation number
# IN $key: A character string key between 20 and 64 bytes long
# IN $uri: The URI, less the hash code, to be authenticated
# OUT $error: Reference to scalar to return any error message
#
# Returns the hash string value if successful, otherwise returns FALSE
# and an error string via $rerr
function ComputeHash ($gen, $key, $uri, &$rerr )
{
# Most of this error checking would not be necessary in a production
# environment - it is provided for illustration of usage only.
if ( !preg_match("/^\d$/",$gen) )
{
$rerr = "ERROR: Invalid GEN value";
return FALSE;
}
if ( (strlen($key) < 20) || (strlen($key) > 64) )
{
$rerr = "ERROR: Invalid key length";
return FALSE;
}
if (empty($uri))
{
$rerr = "ERROR: No URI provided";
return FALSE;
}
# compute the hash and check to be sure it worked
# hash_mac function requires PHP 5 >= 5.1.2, PECL hash >= 1.1
$hmac = hash_hmac("sha1", $uri, $key);
if (!strlen($hmac))
{
$rerr = "ERROR: Failed to compute hash!";
return FALSE;
}
return sprintf("%1.1s%20.20s", $gen, $hmac);
}
?>
using System;
using System.Text;
namespace v3.token
{
class SHA1Level3
{
public SHA1Level3()
{
generateSHA1();
}
public static void generateSHA1()
{
// Parameters you would normally obtain from your configuration
int gen = 0; // secret key generation number (0-9)
string key = "There's no place like home!"; // secret key
string error = String.Empty;
// Process an abspath URI
String uri = "/path/to/resource"; // the URI to authenticate
Console.WriteLine("Orig URI: {0}", uri);
string hash = ComputeHash(gen, key, uri, ref error); // Compute the hash code
uri += String.Format("?hash={0}", hash); // Append the hash code
if (hash.Length > 0)
{
Console.WriteLine("New URI: {0}", uri);
}
else
{
Console.WriteLine("{0}", error);
}
}
// ComputeHash() - compute the hash authenticator to append to a URI
//
// Parameters:
// IN gen: A number 0-9 identifying the key generation number
// IN key: A character string key between 20 and 64 bytes long
// IN uri: The URI, less the hash code, to be authenticated
// OUT error: Reference to scalar to return any error message
//
// Returns the hash string value if successful, otherwise returns FALSE
// and an error string via $rerr
public static string ComputeHash(int gen, string key, string uri, ref string error)
{
// Most of this error checking would not be necessary in a production
// environment - it is provided for illustration of usage only.
if (gen < 0 || gen > 9)
{
error = "ERROR: Invalid GEN value";
return String.Empty;
}
if (key.Length < 20 || key.Length > 64)
{
error = "ERROR: Invalid key length";
return String.Empty;
}
if (String.IsNullOrEmpty(uri))
{
error = "ERROR: No URI provided";
return String.Empty;
}
// compute the hash and check to be sure it worked
System.Security.Cryptography.HMACSHA1 sha1 = new System.Security.Cryptography.HMACSHA1(Encoding.UTF8.GetBytes(key));
sha1.ComputeHash(Encoding.UTF8.GetBytes(uri));
string sha1hex = ByteToString(sha1.Hash);
sha1hex = sha1hex.Length > 20 ? sha1hex.Substring(0, 20) : sha1hex;
return String.Format("{0}{1}", gen, sha1hex);
}
public static string ByteToString(byte[] buff)
{
string sbinary = "";
for (int i = 0; i < buff.Length; i++)
{
sbinary += buff[i].ToString("x2"); // hex format
}
return (sbinary);
}
}
}
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<script type="text/javascript" src=http://crypto-js.googlecode.com/files/2.2.0-crypto-sha1.js>
</script>
<script type="text/javascript" src=http://crypto-js.googlecode.com/files/2.2.0-hmac-min.js></script>
</head>
<body>
<div>SHA1:</div>
<div id="sha1" />
<script type="text/javascript">
var uri = "/path/to/resource";
var key = "There's no place like home!";
var gen = 0;
var error = "";
if (gen < 0 || gen > 9)
{
error = "ERROR: Invalid GEN value";
}
if (key.length < 20 || key.length > 64)
{
error = "ERROR: Invalid key length";
}
if (uri.length < 1)
{
error = "ERROR: No URI provided";
}
if (error.length > 0) {
document.getElementById('sha1').innerHTML = error;
}
else {
var hmac = Crypto.HMAC(Crypto.SHA1, uri, key);
if (hmac.length > 20) {
hmac = hmac.substr(0, 20);
}
document.getElementById('sha1').innerHTML = uri + "?hash=" + gen + hmac;
}
</script>
</body>
</html>
Module Module1
Sub Main()
generateSHA1()
End Sub
Public Sub generateSHA1()
' Parameters you would normally obtain from your configuration
Dim gen As Integer = 0 ' secret key generation number (0-9)
Dim key As String = "There's no place like home!" ' secret key
Dim err As String = String.Empty
' Process an abspath URI
Dim uri As String = "/path/to/resource" ' the URI to authenticate
Console.WriteLine("Orig URI: {0}", uri)
Dim hash As String = ComputeHash(gen, key, uri, err) ' Compute the hash code
uri += String.Format("?hash={0}", hash) ' Append the hash code
If hash.Length > 0 Then
Console.WriteLine("New URI: {0}", uri)
Else
Console.WriteLine("{0}", err)
End If
End Sub
' ComputeHash() - compute the hash authenticator to append to a URI
'
' Parameters:
' IN gen: A number 0-9 identifying the key generation number
' IN key: A character string key between 20 and 64 bytes long
' IN uri: The URI, less the hash code, to be authenticated
' OUT error: Reference to scalar to return any error message
'
' Returns the hash string value if successful, otherwise returns FALSE
' and an error string via $rerr
Public Function ComputeHash(ByVal gen As Integer, ByVal key As String, ByVal uri As String, ByRef err As String) As String
' Most of this error checking would not be necessary in a production
' environment - it is provided for illustration of usage only.
If gen < 0 Or gen > 9 Then
err = "ERROR: Invalid GEN value"
Return String.Empty
End If
If key.Length < 20 Or key.Length > 64 Then
err = "ERROR: Invalid key length"
Return String.Empty
End If
If String.IsNullOrEmpty(uri) Then
err = "ERROR: No URI provided"
Return String.Empty
End If
' compute the hash and check to be sure it worked
Dim sha1 As System.Security.Cryptography.HMACSHA1 = New System.Security.Cryptography.HMACSHA1(Text.Encoding.UTF8.GetBytes(key))
sha1.ComputeHash(Text.Encoding.UTF8.GetBytes(uri))
Dim sha1hex As String = ByteToString(sha1.Hash)
If sha1hex.Length > 20 Then
sha1hex = sha1hex.Substring(0, 20)
End If
Return String.Format("{0}{1}", gen, sha1hex)
End Function
Public Function ByteToString(ByVal buff As Byte()) As String
Dim sbinary As String = ""
For i As Integer = 0 To buff.Length - 1
sbinary += buff(i).ToString("x2") ' hex format
Next
Return sbinary
End Function
End Module
- Topics covered on this page:
