Edge Functions and OIDC Authentication in Adobe Managed CDN
This talk explores how you can use edge functions to deliver seamless and secure experiences through Adobe Managed CDN. This is particularly important for Edge Delivery Services where no native compute capabilities are available but also for AEMaaCS for use cases like personalization and authentication.
We will discuss the power of edge functions, focusing on building JavaScript applications that run directly at the edge. Learn how to design, develop, and deploy lightweight, high-performance applications that execute closer to the end user, enabling real-time personalization, faster response times, and reduced server load.
We will dive into the integration of OpenID Connect (OIDC) authentication at the edge using CDN rules, enabling secure access control and identity management without compromising performance. Attendees will gain insights into how edge functions process authentication requests closer to the user, reducing latency and improving efficiency.
Alexander
Can we use Edge Compute in AEMaaCS with Fastly and if so does it require additional license? The next slide just answered with yes, so please answer the part for the license
mpetria
Edge Compute will be a separate SKU, not included in the base product.
wolf
How are costs of Edge Compute handled? Does it fall under the (expensive!) „content requests” in AEMaaCS?
mpetria
Edge Compute will be a separate SKU, not included in the base product.
Anian Weber
Will this replace the "content overlay" feature of Edge Delivery Services? Given that content overlay often is used to render content from 3rd party systems.
Markus Haack - Adobe
No. These are both used for different use-cases. However there can we cases where you would like to combine them, like a commerce product page with page itself pre-rendered via content overlay while pricing or stock info is routed to edge compute.
Anian Weber
Thanks :)
Jaybee
How do you authenticate your make to deploy to your tenant?
mpetria
For now Adobe provides you with a development token. Later we are envisioning an integration with Adobe developer console
Helge
Can we authorize requests on edge also to publishers ootb or just other/external IDPs?
mpetria
with Edge Authentication you bring your own Identity provider if it supports OIDC. Relying on origin authentication/authorization is future work, to implement something like CDN permission sensitive caching. That would work as follows: - visitor access /page.html - cdn calls a servlet on origin /permissioncheck?url=/page.html to check if the current user has permissions for that url - if response is 200 it calls the actual resource origin/page.html and returns it
Robert Wunsch
Why is "make" being used to deploy and tail-logs for edge-compute?
mpetria
Good question :) It is a temporarily "CLI" until we integrate with better CLI solution such as `aio`
Tomasz Sobczyk
Are you planning to follow what most of other edge computes do which is to allow edge compute to be injected in one of 4 places : on request / response and on in front of / behind cache Current implementation with cache disabled will lead to performance issues
mpetria
This is not currently planned. Currently the supported pattern is: AEM CDN -> AEM Compute So, compute acts as an origin for the CDN and executes after the cache hit/miss.
Helge
Can I check the users session and either serve a response from cdn cache or pass through to origin ?
mpetria
session toke is automatically checked in Edge OIDC Authentication. Only valid sessions will be allowed to see the cache or pass to origin.
Amine
How does error handling and logging work in the edge compute environment?
mpetria
logs can be shipped to your logging infrastructure. logs can also be tailed live. error hadling is typical try catch in js.
MOHIT KATARIA
Will all requests go through authorisation layer? or can we configure which url's need authorisation and which pages don't. May be only redirect to authorisation layer where authorisation in required?
Sentham L
On the cdn.yaml (where you implement the traffic rules along with authentication), you have an option to perform authentication based on the request path or domain or the instance.
mpetria
yes, arbitrary conditions can be written so that authentication is required only for parts of the site.
Henry Kuijpers
How does this combine with AEM's standard functionality, like rendering navigation that could potentially contain access-restricted paths?
Henry Kuijpers
Permission sensitive caching is not very sexy here, you would have a cache per navigation menu variation or something? As it's only a yes/no for serving the cached content.
Konrad
I guess you can combine with edge workers to replace the dynamic parts or alternatively rely on client side logic to reflect it.
Henry Kuijpers
How will the Edge authorization / CDN be signalled that a page requires authentication and if so, optionally what permissions? I see hardcoded examples, but in reality often the content author should enable such configuration for a page. (It's also a hell to hardcode this, when you have language-specific slugs for language copies).
mpetria
through a response header, eg. x-aem-allowed-groups: admin. The response header will be checked at CDN and if it does not match the user's group the response will be a 403.
Tomasz Sobczyk
Wouldn't it be better to "configure" in which claim the group information sits to do authorization. In large orgs you don't always have the luxury to happily go and ask for modification of a company with IDP config. As you mentioned there is no standard for how group info lands in claims so it would be much better to keep it open ended IMHO.
mpetria
yes. the group claim name can be made conffigurable. The tricky part is that there are also different formats, for example Azure changes to a reference link instead of an inlined list for big group lists.
Helge
Will waf rules be evaluated first prior to edge functions?
mpetria
Yes, any of CDN rules will get executed first (including WAF rules)
Tomasz Sobczyk
How long does it take to deploy a change (to a moment where it's globally available in all edge locations)?
mpetria
under a minute typically