Azure Media Services - allow streaming to specific domain

0
votes

How can I secure the on-demand streaming from Azure Media Services to a specific domain only?

E.g. if you are using the Azure Media Player on www.domain1.com - you can watch the videos, but if you are on www.whatever.com then the video should not play.

Here is what I tried:

  1. Setting CORS on the assigned Azure Storage account - didn't help. All responses seem to have a * cors header.

  2. Setting up IP restrictions on the Streaming Endpoint - didn't help. I could still stream a video from different machines using the azure media player demo page. https://ampdemo.azureedge.net/azuremediaplayer.html?url=my_url_to_ism_manifest

UPDATE on the IP restrictions - it seems it needs some time to take effect. But now I realize it is not a good option, because there is no way to know the IP addresses of all the users of my site.

As far as I understood, the other content protection mechanisms (like fairPlay, widivine, etc.) that AMS support, require having a token, meaning the users should authenticate to my site first.

But I do not want to authenticate the users on my site, I just want the videos to be playable only if you are on my site.

1
azureazure-storageazure-blob-storageazure-media-servicesazure-media-player
docs.microsoft.com/en-us/azure/media-services/previous/…Jason Pan
I think Content protection can help you achieve this need.Jason Pan
@Jason, I read them, but they all look they require a STS, so some kind of login/authentication involved, which I don't want to use.Veselin Vasilev
The CDN answer below is easiest, but if you do want to go the encryption route, you can protect the content and have your site generate JWT tokens. The Media Services key delivery server only cares that the token is valid, has the correct claims, and is signed properly. There's no need to actually authenticate clients from your site. Just build the proper JWT and embed that with the player.David Bristol
If the token is not expired, that's correct. However there is another option to prevent replay protection with the parameter urn:microsoft:azure:mediaservices:maxuses as discussed at docs.microsoft.com/en-us/azure/media-services/previous/…David Bristol

1 Answers

2
votes

One simple solution would be to enable Azure CDN from Verizon Premium and then use the rules engine capabilities to create a rule that only allows access from your domain. Your second solution of of using IP restrictions on the streaming endpoint would work as long as you aren't enabling Azure CDN for the streaming endpoint. If you aren't able to get this solution to work, I would recommend opening up a support case for further investigation.