Updated on 06/08/2015: Code sample has been updated to use Json web Keys . See blog post Using Json Web Keys from OpenID Connect discovery spec to work with JWT token authentication in Azure Media Services for details
Updated on 04/22/2015: Code samples mentioned here has been moved to official Azure Media Services sample github repo. Usage of graph API JWT token has been changed to display group membership only. Sample application has been updated to use authentication JWT token obtained from AD for sample app,instead of passing Graph API JWT token to Azure Media Key Delivery Service.
In this article I want to demo how to build an OWIN MVC application that uses Media Services to store a collection of video clips, dynamically encrypt these videos with AES, and deliver encrypted content to clients.
The MVC application integrates with Azure Active Directory user groups and leverages Azure AD single sign in. The sample demonstrates how to enable admin users to restrict access to videos based on AD user group membership.
The MVC application also uses Media Services Key Delivery Service to deliver content keys to clients that want to play the encrypted content. To decide whether or not the client is authorized to get the key, the service evaluates the authorization policies that is configured for the key. In the sample shown in this article, I restrict access to content keys based on JWT claims. Read more about JWT token authentication in my last post JWT token Authentication in Azure Media Services and Dynamic Encryption.
Code mentioned in this post shipped as part of Azure Media Service samples and located at https://github.com/AzureMediaServicesSamples/Key-delivery-with-AAD-integration
Use the Portal to upload an asset. See the steps described in the How to: Upload content section.
https://localhost:44322/. NOTE: It is important, due to the way Azure AD matches URLs, to ensure there is a trailing slash on the end of this URL. If you don’t include the trailing slash, you will receive an error when the application attempts to redeem an authorization code.
<your_tenant_name>with the name of your Azure AD tenant. Click OK to complete the registration.
groupMembershipClaimsand change it value to
Next, add the required NuGet packages. From the Tools menu, select Library Package Manager, then selectPackage Manager Console. In the Package Manager Console window, type the following command:
install-package Microsoft.Owin.Host.SystemWeb –Pre
Through Packager Manager Console execute following commands:
Next, add an OWIN startup class. In Solution Explorer, right-click the project and select Add, then select New Item. In the Add New Item dialog, select Owin Startup class. For more info on configuring the startup class, see OWIN Startup Class Detection.
In our portal i wanted to have user profile page which will display user Azure group membership and all claims from JWT token. These claims can be used to configure Azure Media services Key Delivery authentication policies. In our example i will use claim ‘groups’ to restrict video streaming to users of selected AD group.
In media portal page
I need to have a list of video streams which are dynamically decrypted by media player. As a first step in streaming process video player tries to obtain content key from key delivery service to decrypt stream. Key request need to be sent with JWT or SWT token specified in HTTP Authorization header. Our application pass though JWT token generated by AD to Key delivery service. Once key Delivery service receives content key requests, it validates if JWT token contains same claims as specified in key delivery auth policies. Portal admin user can configure key delivery authentication policies based on user AD JWT token claims.
As Portal admin user i need to specify which AD user groups will have access to video clips. I need to create auth policies specifying that ‘groups’ claim is required claim and have corresponding value from Azure AD groups. In a sample user profile page displays all AD groups ids values which can used.
Following code displays list of video clips which are streamable
Code below is using AD JWT token and configure JWT token content key authentication policies in key delivery. Content key request will be served only when it contains JWT token in a header signed by AD active directory. JWT token should have claim provided by admin user. In our example it is AD group id.