0

How can I secure the on-demand streaming from Azure Media Services to a specific domain only?

E.g. if you are using the Azure Media Player on www.domain1.com - you can watch the videos, but if you are on www.whatever.com then the video should not play.

Here is what I tried:

  1. Setting CORS on the assigned Azure Storage account - didn't help. All responses seem to have a * cors header.

  2. Setting up IP restrictions on the Streaming Endpoint - didn't help. I could still stream a video from different machines using the azure media player demo page. https://ampdemo.azureedge.net/azuremediaplayer.html?url=my_url_to_ism_manifest

UPDATE on the IP restrictions - it seems it needs some time to take effect. But now I realize it is not a good option, because there is no way to know the IP addresses of all the users of my site.

As far as I understood, the other content protection mechanisms (like fairPlay, widivine, etc.) that AMS support, require having a token, meaning the users should authenticate to my site first.

But I do not want to authenticate the users on my site, I just want the videos to be playable only if you are on my site.

Veselin Vasilev
  • 3,698
  • 1
  • 15
  • 21
  • https://learn.microsoft.com/en-us/azure/media-services/previous/media-services-dotnet-configure-content-key-auth-policy – Jason Pan Jun 03 '20 at 09:42
  • I think `Content protection` can help you achieve this need. – Jason Pan Jun 03 '20 at 09:43
  • @Jason, I read them, but they all look they require a STS, so some kind of login/authentication involved, which I don't want to use. – Veselin Vasilev Jun 03 '20 at 11:04
  • As far as I know, there should be no better way. – Jason Pan Jun 03 '20 at 13:25
  • 1
    The CDN answer below is easiest, but if you do want to go the encryption route, you can protect the content and have your site generate JWT tokens. The Media Services key delivery server only cares that the token is valid, has the correct claims, and is signed properly. There's no need to actually authenticate clients from your site. Just build the proper JWT and embed that with the player. – David Bristol Jun 03 '20 at 13:50
  • @DavidBristol, but that jwt token could be copied by someone and put on another site, right? – Veselin Vasilev Jun 04 '20 at 00:13
  • 1
    If the token is not expired, that's correct. However there is another option to prevent replay protection with the parameter urn:microsoft:azure:mediaservices:maxuses as discussed at https://learn.microsoft.com/en-us/azure/media-services/previous/media-services-content-protection-overview#control-content-access – David Bristol Jun 11 '20 at 19:58
  • Thanks @DavidBristol. I went the verizon premium cdn - created rules that look at the origin and referal domains and that seems to do the trick. – Veselin Vasilev Jun 12 '20 at 08:02

1 Answers1

2

One simple solution would be to enable Azure CDN from Verizon Premium and then use the rules engine capabilities to create a rule that only allows access from your domain. Your second solution of of using IP restrictions on the streaming endpoint would work as long as you aren't enabling Azure CDN for the streaming endpoint. If you aren't able to get this solution to work, I would recommend opening up a support case for further investigation.

Anton Kucer
  • 211
  • 1
  • 2