Edge Functions and OIDC Authentication in Adobe Managed CDN

Alexander

Can we use Edge Compute in AEMaaCS with Fastly and if so does it require additional license? The next slide just answered with yes, so please answer the part for the license

mpetria

Edge Compute will be a separate SKU, not included in the base product.

wolf

How are costs of Edge Compute handled? Does it fall under the (expensive!) „content requests” in AEMaaCS?

mpetria

Edge Compute will be a separate SKU, not included in the base product.

Anian Weber

Will this replace the "content overlay" feature of Edge Delivery Services? Given that content overlay often is used to render content from 3rd party systems.

Markus Haack - Adobe

No. These are both used for different use-cases. However there can we cases where you would like to combine them, like a commerce product page with page itself pre-rendered via content overlay while pricing or stock info is routed to edge compute.

Anian Weber

Thanks :)

Jaybee

How do you authenticate your make to deploy to your tenant?

mpetria

For now Adobe provides you with a development token. Later we are envisioning an integration with Adobe developer console

Helge

Can we authorize requests on edge also to publishers ootb or just other/external IDPs?

mpetria

with Edge Authentication you bring your own Identity provider if it supports OIDC. Relying on origin authentication/authorization is future work, to implement something like CDN permission sensitive caching. That would work as follows: - visitor access /page.html - cdn calls a servlet on origin /permissioncheck?url=/page.html to check if the current user has permissions for that url - if response is 200 it calls the actual resource origin/page.html and returns it

Robert Wunsch

Why is "make" being used to deploy and tail-logs for edge-compute?

mpetria

Good question :) It is a temporarily "CLI" until we integrate with better CLI solution such as `aio`

Tomasz Sobczyk

Are you planning to follow what most of other edge computes do which is to allow edge compute to be injected in one of 4 places : on request / response and on in front of / behind cache Current implementation with cache disabled will lead to performance issues

mpetria

This is not currently planned. Currently the supported pattern is: AEM CDN -> AEM Compute So, compute acts as an origin for the CDN and executes after the cache hit/miss.

Helge

Can I check the users session and either serve a response from cdn cache or pass through to origin ?

mpetria

session toke is automatically checked in Edge OIDC Authentication. Only valid sessions will be allowed to see the cache or pass to origin.

Amine

How does error handling and logging work in the edge compute environment?

mpetria

logs can be shipped to your logging infrastructure. logs can also be tailed live. error hadling is typical try catch in js.

MOHIT KATARIA

Will all requests go through authorisation layer? or can we configure which url's need authorisation and which pages don't. May be only redirect to authorisation layer where authorisation in required?

Sentham L

On the cdn.yaml (where you implement the traffic rules along with authentication), you have an option to perform authentication based on the request path or domain or the instance.

mpetria

yes, arbitrary conditions can be written so that authentication is required only for parts of the site.

Henry Kuijpers

How does this combine with AEM's standard functionality, like rendering navigation that could potentially contain access-restricted paths?

Henry Kuijpers

Permission sensitive caching is not very sexy here, you would have a cache per navigation menu variation or something? As it's only a yes/no for serving the cached content.

Konrad

I guess you can combine with edge workers to replace the dynamic parts or alternatively rely on client side logic to reflect it.

Henry Kuijpers

How will the Edge authorization / CDN be signalled that a page requires authentication and if so, optionally what permissions? I see hardcoded examples, but in reality often the content author should enable such configuration for a page. (It's also a hell to hardcode this, when you have language-specific slugs for language copies).

mpetria

through a response header, eg. x-aem-allowed-groups: admin. The response header will be checked at CDN and if it does not match the user's group the response will be a 403.

Tomasz Sobczyk

Wouldn't it be better to "configure" in which claim the group information sits to do authorization. In large orgs you don't always have the luxury to happily go and ask for modification of a company with IDP config. As you mentioned there is no standard for how group info lands in claims so it would be much better to keep it open ended IMHO.

mpetria

yes. the group claim name can be made conffigurable. The tricky part is that there are also different formats, for example Azure changes to a reference link instead of an inlined list for big group lists.

Helge

Will waf rules be evaluated first prior to edge functions?

mpetria

Yes, any of CDN rules will get executed first (including WAF rules)

Tomasz Sobczyk

How long does it take to deploy a change (to a moment where it's globally available in all edge locations)?

mpetria

under a minute typically