Starting from Azure Media Services .NET 4.5 SDK 18.104.22.168 release, Azure Media services team added functionality to use JWT token to restrict delivery of content keys. In this post I’d like to demonstrate how to issue JWT token to be used in scenario when you want to stream dynamically encrypted content and content key requests have to be restricted.
In solutions utilizing Azure Media Services you can publish media content protected with AES encryption (envelope) or utilizing DRM technology such as Microsoft PlayReady. To play encrypted content, a video player has to obtain the content key in order to decrypt the media asset. .
There are three ways to restrict delivery of content key :
To get a content key that has a token restricted authorization policy, the player has to send a request to Azure Media Key Delivery service with JWT or SWT token. Azure Media Key Delivery service validates that token has been signed with proper key and performs validations of token claims defined in a system by service admin.
Before going into details how to construct a JWT token I wanted to walk through classes which you will be using to select that JWT token authentication enforced by key delivery service.
This class act as a container for set of access rules which you define in order to restrict delivery of content key. It has collection IContentKeyAuthorizationPolicyOption you need to define.
Defines which protocol is used for key delivery
and has IContentKeyAuthorizationPolicyOption.Restrictions collectionof type ContentKeyAuthorizationPolicyRestriction . These policy restrictions are evaluated by key delivery service in order for a key to be served.
As I mentioned before there are 3 ways content key delivery can be restricted and you can define it by assigning on of values from ContentKeyRestrictionType enum to IContentKeyAuthorizationPolicyRestriction.KeyRestrictionType
Then based on selected restriction type you need to fill IContentKeyAutorizationPolicyRestriction.Requirements property. For TokenRestricted type you need to instantiate TokenRestrictionTemplate class and use TokenRestrictionTemplateSerializer.Serialize to produce corresponding string value for ContentKeyAuthorizationPolicyRestriction.Requirements . The following code snippet demonstrates how to configure the content key authorization policy, so the key would only be delivered to end users who provide JWT token signed with a symmetric key. It also instructs service that issuer and audience claim of a token should match values defined and saved in Azure Media Key Delivery service.
Once we restricted delivery of content key, we have to instruct system how asset will be delivered. In our case we want to use dynamic encryption ,scenario when Azure Media streaming service dynamically encrypt content on a fly. You can read more about difference between dynamic and static encryption in Mingfei Yan post Dynamic Encryption vs. Static Encryption with Azure Media Services
In order to stream asset with dynamically encrypted you have to create IAssetDeliveryPolicy and associate it with media asset.
To issue a JWT token you can utilize https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/ package in your project.Please note that in code snippet above i used a HttpClient to demo a call to a key delivery service. For a player to be able to stream assets encrypted with content keys that have a token restricted authorization policy, the player must be able to work with Auth headers in order to send key requests or to append JWT token as a url parameter: &token=jwttokenValue
Once you generated a jwt token you can specify it as parameter for a player. For example below i am using Strobe Media Playback with the SS ODMF Dynamic Plugin to specify JWT token as one of flash variables. Code snippet looping through Model containing list of Assets and inserting JWT token stored in current user principal claim named “AMSAccessToken”
In a next blog post i will demo how to utilize Azure Active Directory to have role based access to your Azure Media services streamable content within OWIN based MVC App.