Stream authorized video from azure media service with duende identity server

Question

I have the following constellation:

• Client: Angular + ngx videogular (I can switch to azure media player)
• Server: .Net 6 + duende Identity Server for user authentication and authorization (Identity server 4)

Client app and the server are published in azure as static and service app.

The goal is to stream large videos (Videos on demand) with azure media service to certain authenticated and authorized users.

Example: User 1 can watch video A and B. User 2 can only watch video A.

I have set media service v3 as it as described in microsoft pages and I was able to stream assets from azure media service (e.g. as HLS source:

Client:

        <video #videoElement #vgHls="vgHls" [vgHls]="hlsSource" [vgMedia]="$any(media)" #media [id]="videoId"
            type="video/mp4" [autoplay]="false" preload="auto" crossorigin>
        </video>

Server:

                    var configWrapper = new ConfigWrapper(configuration);
                    ServiceClientCredentials credentials;
                    credentials = await GetCredentialsInteractiveAuthAsync(configWrapper);
                    
                    var client = new AzureMediaServicesClient(configWrapper.ArmEndpoint, credentials)
                    {
                        SubscriptionId = configWrapper.SubscriptionId,
                    };
                    var asset = await client.Assets.GetAsync(configWrapper.ResourceGroup, configWrapper.AccountName, "assetName");
                    var streamingLocators = await client.Assets.ListStreamingLocatorsAsync(configWrapper.ResourceGroup, configWrapper.AccountName, "assetName");
                    var locator = streamingLocators.StreamingLocators.FirstOrDefault();
                    IList<string> urls = await GetStreamingUrlsAsync(client, configWrapper.ResourceGroup, configWrapper.AccountName, locator.Name);
                    // return hlsUrl... It works for all users? (not only for authorized user?)

Now I don't want to enter the hls or dash sources in the client video player, but control the access rights in my api server.

How can I create an "hls source" for an azure asset in rest api only for an authenticated and authorized user?

How can I secure the videos/assets with tokens only for authorized users?

Answer 1

In your example code above, you are getting a "clear" unprotected, un-encrypted streaming locator from the AMS backend.

The credentials object you used above in your code - through interactive auth - is just the Azure credential assigned as Owner or Contributor role on the actual Media Services account for management operations (CRUD on entities, etc.) and has nothing to do with the streaming locator encryption, keys, or claims that allow the key delivery service to provide the decryption key to the client. You only use the ServiceClientCredentials to "manage" and create things in the AMS account. It does not have anything to do with streaming auth.

For authentication and key delivery services, you should familiarize yourself with the concepts under Content Protection:

Overview of content protection: https://learn.microsoft.com/en-us/azure/media-services/latest/drm-content-protection-concept

Overview of using streaming policies: https://learn.microsoft.com/en-us/azure/media-services/latest/stream-streaming-policy-concept

There is a tutorial that walks through using Content protection with AAD as the backend : https://learn.microsoft.com/en-us/azure/media-services/latest/architecture-azure-ad-content-protection

Some Typescript samples showing how to create a Streaming Locator with a content key policy configured with custom "Claims" in a ContentKeyPolicyTokenClaim.

You would need to design and build your own secure token service that authenticated your users and passed them the appropriate JWT token with claims that worked with the specific Streaming Locator and ContentKeyPolicy (with claims) that you configured on the backend of AMS. It's all a bit tricky to grasp, but if you look at some of the tutorials above and walk through them slowly the concepts come together. The key part is the JWT token and Claims that you assign to be used.