Signed URLs in CDN
Please provide more context on the end-to-end scenario for which you need signed URL support in the Azure CDN.
Miguel Rasero commented
We at https://www.pixelcrush.io offer signed URL using optional auth "url" param and we use Azure Verizon standard CDN underneath.
To be fair we specialize in serving images because of our real-time manipulation capabilities, but we deliver other static content as well using our "/cdn/" virtual folder.
You can try the service with a $10 trial account, no credit card needed, and give us some feedback!
Li Huan Jeow commented
Azure premium CDN now has support for EdgeCast URL token authentication. Is there any other features that Microsoft is planning for this?
Any update on this? When would you think Azure CDN will implement this feature?
Yes this feature is very much required. We are considering moving to AWS just because Azure doesn’t support this. We would like to allow ONLY our website authenticated users to access the selective CDN content (it means not every user can access every content).
Zach Smith commented
Any update, please?
Dusty Brenning commented
Any Update on when this might be available?
T. Ray commented
Any more details on when this will go out? I need to pick a CDN solution with authentication really soon and will probably pick AWS's cloud front only because Azure doesn't have it. I can probably push my clients off a little bit if I knew it was soon.
I'm creating a customer support website where customers can log in and access the software downloads that they are allowed to have. I want to prevent customers from sharing the URLs around. Obviously, nothing is really stopping them from sharing the files once they are downloaded, but, I'd still like to restrict them at the CDN level.
Li Huan Jeow commented
Didn't see the other thread when I posted this. Please combine the two. Thanks!
Li Huan commented
The EdgeCast network that Microsoft is using supports limited life tokens for authenticating users. Amazon's CDN supports the feature too. Please add this feature for Azure CDN.
Dusty Brenning commented
Our scenario is similar to Jason's in that we need to protect the content that our users upload from being used by someone other than our customer. We currently have a solution that has timed token based authentication for accessing content on a cdn. So even if a someone without authentication to view the content gets a token it will expire and not allow them access to the content.
Jason McCampbell commented
We have a scenario similar to Axel. In our case we are providing customer access to videos stored on Azure. The videos are accessible only to subscribers so what we want to be able to do is create unique, expiring URLs that we can provide via redirect to users to allow them to watch the videos. We currently use Amazon's CloudFront service signed URL feature for this purpose and can't migrate until there is something similar available.
Axel Rietschin commented
I have a specific scenario in mind: software delivery. Currently I send my customers a personal download link pointing to my Azure-hosted back-end, by email, after they purchase my product.
When the user clicks his/her download link, the back-end checks the legitimacy of the download (e.g. download count, validity of the link, order had been cancelled/refunded etc) then reply (via an HTTP redirect) with a signed URL having a very short time-to-live and that points to the payload on my Azure storage account (the deliverable, an MSI installer, is in a private container).
The user’s browser follows the redirect link and comes back right away to gets the payload. The signed URL expires after a few seconds so it can be used only once, for that particular download that was granted and metered by the back-end business system.
This scheme works perfectly, I use this to deliver real products to real users, but I would like to be able to use the CDN to put the payload closer to the customers for faster download, and still be able to protect it from abuses (like sharing the download link to the payload).
In a related request, I would like to be able to add the client’s IP address to signed URLs (the IP being hashed with the other signed parameters), so the URL can only be used from the specified IP address, in addition to within the specified From-To time interval.
This “metered downloads” scheme could be used to build a pay-per-view system on top of the CDN, for example where the payload would be a video file: the user would click a link to the video, with some account identifier as URL parameter. The browser would be redirected to the video if the view is granted, the video being cached on the CDN, and the redirect URL, locked to his IP, would be valid just for the time it takes for the redirect to happen, i.e. a few seconds.
I hope the above makes sense. -- Axel