JWT token Authentication in Azure Media Services and Dynamic Encryption

Posted on

Starting from Azure Media Services .NET 4.5  SDK 3.1.0.0 release, Azure Media services team added functionality to use JWT token to restrict delivery of content keys. In this post I’d like  to demonstrate how to issue JWT token to be used in scenario when you want to stream dynamically encrypted content and content key requests have to be restricted.

Define who is going to get a content key:

In solutions utilizing Azure Media Services you can publish media content protected with AES encryption (envelope) or utilizing DRM technology such as Microsoft PlayReady. To play encrypted content, a video player has to obtain the content key in order to decrypt the media asset. .

There are three ways to restrict delivery of content key :

  • Not Restricted.Everyone can request a content key.
  • IP restricted. Only http callers from specific range of ip addresses getting a key.
  • Token restricted. Only callers who are passing valid token in Auth header or query string will get a content key.

To get a content key that has a token restricted authorization policy, the player has to send a request to Azure Media Key Delivery service with JWT or SWT token. Azure Media Key Delivery service validates that token has been signed with proper key and performs validations of token claims defined in a system by service admin.
Before going into details how to construct a JWT token I wanted to walk through classes which you will be using  to select that JWT token authentication enforced by key delivery service.

IContentKeyAuthorizationPolicy

This class act as a container for set of access rules which you define in order to restrict delivery of content key. It has collection IContentKeyAuthorizationPolicyOption you need to define.

IContentKeyAuthorizationPolicyOption

Defines which protocol is used for key delivery

  • BaselineHttp (Use MPEG Baseline HTTP key protocol.)
  • PlayReadyLicense (Use PlayReady License acquisition protocol)

and has  IContentKeyAuthorizationPolicyOption.Restrictions collectionof type ContentKeyAuthorizationPolicyRestriction . These policy restrictions are evaluated by key delivery service in order for a key to be served.

IContentKeyAuthorizationPolicyRestriction

As I mentioned before there are 3 ways content key delivery can be restricted and you can define it  by assigning on of values from ContentKeyRestrictionType enum to IContentKeyAuthorizationPolicyRestriction.KeyRestrictionType

Then based on selected restriction type you need to fill IContentKeyAutorizationPolicyRestriction.Requirements property. For TokenRestricted type you need to instantiate TokenRestrictionTemplate class and use TokenRestrictionTemplateSerializer.Serialize to produce corresponding string value for ContentKeyAuthorizationPolicyRestriction.Requirements . The following code snippet demonstrates how to configure the content key authorization policy, so the key would only be delivered to end users who provide JWT token signed with a symmetric key. It also instructs service that issuer and audience claim of a token should match values defined and saved in Azure Media Key Delivery service.  

Define how media asset will be delivered

Once we restricted delivery of content key, we have to instruct system how asset will be delivered. In our case we  want to use dynamic encryption ,scenario when Azure Media streaming service dynamically encrypt content on a fly.  You can read more about difference between dynamic and static encryption in Mingfei Yan post Dynamic Encryption vs. Static Encryption with Azure Media Services
In order to stream asset with dynamically encrypted you have to  create IAssetDeliveryPolicy and associate it with media asset.

Issuing a JWT token and calling Azure Media Key Delivery Service

To issue a JWT token you can utilize https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/ package in your project.Please note that in code snippet above i used a HttpClient to demo a call to a key delivery service. For a player to be able to stream assets encrypted with content keys that have a token restricted authorization policy, the player must be able to work with Auth headers in order to send key requests or to append JWT token as a url parameter: &token=jwttokenValue

Using a JWT token within a video player

Once you generated a jwt token you can specify it as parameter for a player. For example below i am using Strobe Media Playback with the SS ODMF Dynamic Plugin to specify JWT token as one of flash variables. Code snippet looping through Model containing list of Assets and inserting JWT token stored in current user principal claim named “AMSAccessToken”

In a next blog post i will demo how to utilize Azure Active Directory to have role based access to your Azure Media services streamable content within OWIN based MVC App.

Tags: , ,