Posted on

Starting from Azure Media Services .NET 4.5  SDK release, Azure Media services team added functionality to use JWT token to restrict delivery of content keys. In this post I’d like  to demonstrate how to issue JWT token to be used in scenario when you want to stream dynamically encrypted content and content key requests have to be restricted.

Define who is going to get a content key:

In solutions utilizing Azure Media Services you can publish media content protected with AES encryption (envelope) or utilizing DRM technology such as Microsoft PlayReady. To play encrypted content, a video player has to obtain the content key in order to decrypt the media asset. .

There are three ways to restrict delivery of content key :

  • Not Restricted.Everyone can request a content key.
  • IP restricted. Only http callers from specific range of ip addresses getting a key.
  • Token restricted. Only callers who are passing valid token in Auth header or query string will get a content key.

To get a content key that has a token restricted authorization policy, the player has to send a request to Azure Media Key Delivery service with JWT or SWT token. Azure Media Key Delivery service validates that token has been signed with proper key and performs validations of token claims defined in a system by service admin.
Before going into details how to construct a JWT token I wanted to walk through classes which you will be using  to select that JWT token authentication enforced by key delivery service.


This class act as a container for set of access rules which you define in order to restrict delivery of content key. It has collection IContentKeyAuthorizationPolicyOption you need to define.


Defines which protocol is used for key delivery

  • BaselineHttp (Use MPEG Baseline HTTP key protocol.)
  • PlayReadyLicense (Use PlayReady License acquisition protocol)

and has  IContentKeyAuthorizationPolicyOption.Restrictions collectionof type ContentKeyAuthorizationPolicyRestriction . These policy restrictions are evaluated by key delivery service in order for a key to be served.


As I mentioned before there are 3 ways content key delivery can be restricted and you can define it  by assigning on of values from ContentKeyRestrictionType enum to IContentKeyAuthorizationPolicyRestriction.KeyRestrictionType

Define how media asset will be delivered

Once we restricted delivery of content key, we have to instruct system how asset will be delivered. In our case we  want to use dynamic encryption ,scenario when Azure Media streaming service dynamically encrypt content on a fly.  You can read more about difference between dynamic and static encryption in Mingfei Yan post Dynamic Encryption vs. Static Encryption with Azure Media Services
In order to stream asset with dynamically encrypted you have to  create IAssetDeliveryPolicy and associate it with media asset.

Issuing a JWT token and calling Azure Media Key Delivery Service

To issue a JWT token you can utilize Please note that in code snippet above i used a HttpClient to demo a call to a key delivery service. For a player to be able to stream assets encrypted with content keys that have a token restricted authorization policy, the player must be able to work with Auth headers in order to send key requests or to append JWT token as a url parameter: &token=jwttokenValue

Using a JWT token within a video player

Once you generated a jwt token you can specify it as parameter for a player. For example below i am using

In a next blog post i will demo how to utilize Azure Active Directory to have role based access to your Azure Media services streamable content within OWIN based MVC App.