Integrate Azure Media Services OWIN MVC based app with Azure Active Directory and restrict content key delivery based on JWT claims

Posted on

Updated on 06/08/2015: Code sample has been updated to use Json web Keys . See blog post Using Json Web Keys from OpenID Connect discovery spec to work with JWT token authentication in Azure Media Services for details

Updated on 04/22/2015:  Code samples mentioned here has been moved to official Azure Media Services sample github repo. Usage of graph API JWT token has been changed to display group membership only. Sample application has been updated to use authentication JWT token obtained from AD for sample app,instead of passing Graph API JWT token to Azure Media Key Delivery Service. 

In this article I want to demo how to build an OWIN MVC application that uses Media Services to store a collection of video clips, dynamically encrypt these videos with AES, and deliver encrypted content to clients.

The MVC application integrates with Azure Active Directory user groups and leverages Azure AD single sign in. The sample demonstrates how to enable admin users to restrict access to videos based on AD user group membership.

The MVC application also uses Media Services Key Delivery Service to deliver content keys to clients that want to play the encrypted content. To decide whether or not the client is authorized to get the key, the service evaluates the authorization policies that is configured for the key. In the sample shown in this article, I restrict access to content keys based on JWT claims. Read more about JWT token authentication in my last post JWT token Authentication in Azure Media Services and Dynamic Encryption.

Code mentioned in this post shipped as part of Azure Media Service samples and located at https://github.com/AzureMediaServicesSamples/Key-delivery-with-AAD-integration

Quick summary of steps described in this post:

  1. Provision Azure Media Service account and encode few video files to be used in a video portal mvc app
  2. Create a few user accounts and groups in your Azure Active Directory tenant
  3. Register the sample with your Azure Active Directory tenant
  4. Create a OWIN app to display a list of video streams and configure their authentication policies

Provision Azure Media Service account and encode few videos to be ready for prime time

Use the Portal to upload an asset. See the steps described in the How to: Upload content section.

Create a few user accounts and groups in your Azure Active Directory tenant

  1. Provision new AD tenant or use existing oneCreate Azure Active Directory tenant
  2. Create Admin Group and save aside value ObjectID of this groupCreate Azure AD user Groups
  3. Create one or more additional groups
  4. Assign one of a user to be a member of admin group. This user will be able to configure authorization policies within MediaLibraryWebApp
  5. Assign other users between other groups

Register the sample with your Azure Active Directory tenant

  1. Sign in to the Azure management portal.
  2. Click on Active Directory in the left hand nav.
  3. Click the directory tenant where you wish to register the sample application.
  4. Click the Applications tab.
  5. In the drawer, click Add.
  6. Click “Add an application my organization is developing”.
  7. Enter a friendly name for the application, for example “MediaLibraryWebApp”, select “Web Application and/or Web API”, and click next.
  8. For the sign-on URL, enter the base URL for the sample, which is by default https://localhost:44322/. NOTE: It is important, due to the way Azure AD matches URLs, to ensure there is a trailing slash on the end of this URL. If you don’t include the trailing slash, you will receive an error when the application attempts to redeem an authorization code.
  9. For the App ID URI, enter https://<your_tenant_name>/MediaLibraryWebApp, replacing <your_tenant_name> with the name of your Azure AD tenant. Click OK to complete the registration.
  10. While still in the Azure portal, click the Configure tab of your application.
  11. Find the Client ID value and copy it aside, you will need this later when configuring your application.
  12. Create a new key for the application. Save the configuration so you can view the key value. Save this aside for when you configure the project in Visual Studio.
  13. Download ‘MediaLibraryWebApp’ application manifest from Azure portal
  14. Find property groupMembershipClaims and change it value to All. "groupMembershipClaims": "All",
  15. Upload application manifest back to Azure portal
  16. In section ‘Permission to other applications ‘ select Windows Azure Active Directory Application permissions and check all checkboxes.
Configure AD Web Application

Configure AD Web Application

Create a OWIN MVC app to display a list of streamable media files

Creating Empty ASP.NET  MVC application from template

  1. In Visual Studio 2013, create a new ASP.Net MVC web application with Authentication set to No Authentication.
  2. Add OWIN NuGet Packages

    Next, add the required NuGet packages. From the Tools menu, select Library Package Manager, then selectPackage Manager Console. In the Package Manager Console window, type the following command:

    install-package Microsoft.Owin.Host.SystemWeb –Pre

  3. Add AD Client SDK and Media Services .NET,SDK

    Through Packager Manager Console execute following commands:

    install-package System.IdentityModel.Tokens.Jwt
    install-package windowsazure.mediaservices
    install-package Microsoft.IdentityModel.Clients.ActiveDirectory

  4. Add a Startup Class

    Next, add an OWIN startup class. In Solution Explorer, right-click the project and select Add, then select New Item. In the Add New Item dialog, select Owin Startup class. For more info on configuring the startup class, see OWIN Startup Class Detection.

Implement Single Sign-On Authentication and store JWT issued by Azure AD

Changed created startup.cs class to be partial

Create partial class which will implement AD OpenID authentication and will save Azure Media Services credentials in Identity claims

Create AccountController to handle sign in and sign out

Use Active Directory .NET SDK to access AD Graph API

In our portal i wanted to have user profile page which will display user Azure group membership and all claims from JWT token. These claims can be used to configure Azure Media services Key Delivery authentication policies. In our example i will use claim ‘groups’ to restrict video streaming to users of selected AD group.

Display list of streamable assets and grant permissions to AD user groups to view AMS hosted video streams

In media portal page https://github.com/gtrifonov/azure-media-services-samples/blob/master/KDWithADMVC/MediaLibraryWebApp/Controllers/MediaLibraryController.cs
I need to have a list of video streams which are dynamically decrypted by media player. As a first step in streaming process video player tries to obtain content key from key delivery service to decrypt stream. Key request need to be sent with JWT or SWT token specified in HTTP Authorization header. Our application pass though JWT token generated by AD to Key delivery service. Once key Delivery service receives content key requests, it validates if JWT token contains same claims as specified in key delivery auth policies. Portal admin user can configure key delivery authentication policies based on user AD JWT token claims.
As Portal admin user i need to specify which AD user groups will have access to video clips. I need to create auth policies specifying that ‘groups’ claim is required claim and have corresponding value from Azure AD groups. In a sample user profile page displays all AD groups ids values which  can used.

Retrieving list of media assets

Following code displays list of video clips which are streamable

Select a video and configure authentication policies based on AD user group membership

Code below is using AD JWT token and configure JWT token content key authentication policies in key delivery. Content key request will be served only when it contains JWT token in a header signed by AD active directory. JWT token should have claim provided by admin user. In our example it is AD group id.

Tags: , , , ,