I have a Xamarin.Forms app that uses the Azure SDK, Easy Tables etc. for the bulk of its work. I also have a separate Azure Media Service which hosts and streams video to this app.
The video contains material that is organization-specific, and should not be accessible in any other way than through the app. There is no Azure AD or anything to rely on for authentication, it's as simple as "if client is the app, it can see the video."
What is the simplest way to lock this down in the way I described? Can I do it via the App Service or via Media Service settings somehow?
Take a look into https://learn.microsoft.com/en-us/azure/media-services/media-services-rest-configure-asset-delivery-policy. It describe how you can restrict delivery of asset.
Assume you have dynamically encrypted media asset served through your mobile app. In order to play your video, video player need to fetch content key. You can configure through code who will be able to get content key to decrypt content. Your app will issue JWT token with required set of claims and Azure media service wil validate this token and will return key for player.
Article http://gtrifonov.com/2015/01/03/jwt-token-authentication-in-azure-media-services-and-dynamic-encryption/ describe this flow in more details.
Related
I want to create a mobile app (xamarin form, c#) that access a cloud storage to store my files like .csv and images which are read only by users.
I could then update the data/files in the storage, and make it available to all users.
I don't want my users to authenticate by using their account.
I expect that the app know how to connect and access to my account (i.e. my dropbox account or gdrive account) in background. It will be seamless to the user.
In short, I would like make my dropbox or gdrive or other clouds files, able to be seen by all users via my app
I tried dropbox and gdrive, but it seems like they use Oauth which require users to login to their account, I don't want that.
Any recommendation or some insight for me?
Thanks a lot stackoverflow
If you want to store user information in the cloud service in any way, Google Drive may be the best choice.
The following address describes all the requirements for integrating the application with Google Drive
https://developers.google.com/drive/api
In Google Drive, you will receive an API key through which your application will upload and download files, and you do not need to create an account for the application's uses or personally authentication.
To use, it is enough to be able to call a rest API
and here it is the API reference:
https://developers.google.com/drive/api/v3/reference
I have an multi-tenant application deployed over windows azure.
Now I want to integrate windows azure media services but I am facing few problems on which I need experts suggestion.
I have already gone through many articles & done enough research but not able to find anything concrete solution.
I want to store all videos uploaded by different tenant (client) into separate folder / assets in windows azure media services.
I want to track storage space utilization of content uploaded by tenant (client) .
I want to track streaming usage counts by tenant (client).
This will help me to show statistics to tenant (client) & bill them accordingly.
Now I found https://azure.microsoft.com/en-us/documentation/articles/media-services-monitor-services-account/ but this is again incurring charges & too generic & I don't think that I can get data by tenant (client) wise.
Is there are any API available or provided by windows azure through which I can fulfill above?
What are the best practices to achieve the above?
Or
Only way to achieve the above is to maintain separate account for each individual tenant (client)?
Before designing multi tenant application using AMS please read about existing limitations for one ams account - https://azure.microsoft.com/en-us/documentation/articles/media-services-quotas-and-limitations/.
For multi tenant storage billing you can design your system to have one storage account per tenant.
Create one storage account per tenant
Enable storage analytics to get capacity metrics over billing period
https://msdn.microsoft.com/en-us/library/azure/hh360996.aspx
Associate storage account with azure media service account - See:
https://msdn.microsoft.com/en-us/library/azure/dn313102.aspx
https://msdn.microsoft.com/en-us/library/azure/dn306082.aspx.
When creating asset explicitly define in what storage account it should be located - https://msdn.microsoft.com/en-us/library/azure/hh974277.aspx#create_an_asset. See parameter StorageAccountName
It is more complicated with tracking streaming usage.There is no turn key solution to get streaming analytics through api. If your tenants using live channels, you have to keep track of their live channel usage yourself based on duration of live channel (See Live Channels section in https://azure.microsoft.com/en-us/pricing/details/media-services/).
To deliver on-demand and live video streams to customers you need to decide how you will allocate reserved units per tenants. Each reserved unit has fixed cost and reserved bandwidth. Without cdn integration you will be charged data transfer usage which is calculated per azure media service account. As of now there is no rest api to get data transfer usage for underlying streaming endpoints/channels.
If you will enabled CDN integration, then CDN pricing will be applied. By having dedicated streaming endpoint per tenant will give you ability to have statistics per endpoint. You will have ability to see usage per endpoint in azure portal but not through api.
To summarize above statements:
It is easy to track storage account usage per tenant through api
As of now there is no turn key rest apis to get streaming data usage breakdown per entities .
I'm trying to create an elearning system that has videos associated with lessons. When a user gets to a lesson a video needs to play. The videos should not play unless I authenticate that the user can play that video and can play it right now. I'm trying to accomplish this using the azure video player.
I can make this work with azure media services without encryption without issue.
However when I go to do the encryption, the samples are VERY week.
What I'm trying to do is encrypt the video so that it can play on all browsers and have everything that the azure video player needs.
Further, at the time that the user requests to play the video I want to use their authentication with our website to determine if the video should play, and then set the token on the media services.
I would have expected that media services would use oAuth 2 and I could point it at our endpoint with a specific claim required for the specific video the user requested and I would return an auth token or not. But it appears to work backwards from this.
So I've done the following:
Gone into the classic portal (because apparently this hasn't been updated to either use the new portal or the new way of doing storage...)
Created the Media Services account.
Gone to content protection as as best as I can figure from the videos enter Type token for both and json web token.
Under issuer for aes and playready I've put in the path to our oAuth provider, but I"m not at all sure what this should be and I can't find any documentation that explains what this should be.
Scope: Under ae, the samples have something similar to urn:Portal but under playready this has to be a full URI, which I can't figure out what's supposed to be there.
I created the verification keys for both types
I have no idea what to put in claims or how this is relevant.
License type = non-persistent
Passing Video Content to Unknown Outputs I have set to Allowed. I don't know what allowed with constriction does or how it should be setup.
Allow test devices is enabled for now.
Then in my encoding stuff I've put in the following after creating the asset from samples:
//Add encryption
var key = CreateEnvelopeTypeContentKey(context, finalAsset);
var tokenTemplateString = AddTokenRestrictedAuthorizationPolicy(context, key, audience, issuer);
CreateAssetDeliveryPolicy(context, finalAsset, key);
var tokenTemplate = TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString);
var rawKey = EncryptionUtils.GetKeyIdAsGuid(key.Id);
string testToken = TokenRestrictionTemplateSerializer.GenerateTestToken(tokenTemplate, null, rawKey);
But if I try and enable this stuff to get playready, wildvine AND BaselineHttp it all blows up and I cannot find examples of all 3 (which appear to be required for Chrome, Firefox and IE/Edge to work reliably) enabled and working in the code as you'd expect. (note the methods called above are directly from the samples)
Further I can't figure out how to use the verification keys from the portal in this code because I can't find any samples on this.
And presumably this sets up the asset to have it's own authentication. Although I can't tell. But what I want and need to do is have each asset be separately authentication by the asset and by the user and not have the bearer token be usable anywhere else.
At this point I'm completely lost, because the only code I can find to generate the JWT is the test stuff which obviously shouldn't be used in production.
What I'm looking for is code that doesn't use Azure AD and allows me to do my own, so that when a user wants to watch a video, they come to me, I say, yup, you're good, here's your token just for you and only you and no one else that is created just for you in C# in my web api that returns the token in the json response.
Then I want to set it in the security credentials (and put all of the permutations in!) so that it will just work on the browser in question (ie, edge, firefox, chrome, safari) and the player sends that along with the rest and the video just plays no matter what browser.
But since I can neither encrypt the video with the right keys, nor encrypt it for all permutations based on the samples nor find any example of creating the JTW properly based on the shared keys and whatever I need to store in my database based on the encryption process I'm stuck.
So is there a sample somewhere that takes you through this full process to make this work in any web browser when done and generate the encryption for all of them, and the token for the client on a per issue basis?
If not, can someone help answer these questions?
And if this is MS watching this, I'd suggest that you consider giving us the ability to have just the single url in the client, and pass our oAuth2 bearer token (not yours) and have you use that to single sign on with us, and demand a claim passing the asset id and getting a yea/nea to play the video with a timespan their authorized to play it on the specific client involved. If this is possible now, please provide a full sample or instructions on how this can be accomplished because it's very not clear at this point and everything is geared to AD which isn't useful and there are a ton of missing pieces.
Ultimately, I need to be able to live stream this content on the web and on mobile clients AND be able to download this content encrypted and play it on those same mobile clients offline but still encrypted and locked down. Those last pieces I don't have a clue how to do at this point and I can't find any documentation on either, but I'll ask that separately.
Thanks!
Bonus Reading
Resources found that are relevant but don't answer the question or only partially answer the question and break other parts:
Configure asset delivery policies with .NET SDK 🕗
Use AES-128 dynamic encryption and the key delivery service 🕗
Azure Media Player - Protected Content 🕗
Azure Media Player - Playback Technology ("Tech") 🕗
How to make Token authorized AES encrypted HLS stream working in Safari 🕗
Integrate Azure Media Services OWIN MVC based app with Azure Active Directory 🕗 (this one appears to be the closest but I've been unable to decouple it from Azure AD)
We don't have lot of samples to build customized Security Token Service (STS), because each business may have its own requirements and lots of customers are doing integration work (i.e. they already have a token issuer service).
As said, I am happy to help you to complete your workflow. You can email me at yanmf#microsoft.com and I could have a call to troubleshoot your workflow.
Cheers,
Mingfei Yan
I am developing an outlook plugin.I want use one drive API's in it.I easily got the client Id and client secret for using API's for one drive personal accounts.But, when I registered my application for one drive business API's in azure active directory, it created only a client Id for me, but didn't create any
client secret.I chose native app while registering, as my app is a native app.I can't authenticate the user without the client secret.Please let me know , how to get the client secret?Thanks in advance.
Create Application and click on keys. Add some description and expiry as required and Click Save. Key will be auto generated. Make sure you copy and save the Key else it will be hidden.
Native clients don't have any secrets associated to them - given that they are meant to run on devices, it is assumed that they would not be able to protect a secret. Native clients use the clientID for indicating the client app, but the authentication is always done by involving a user identity in the process. If you pick any of the native client samples in http://github.com/azureadsamples you will see how the clientid is enough to trigger user auth.
Once you move off the page after saving your information, you cannot get the client secret from the Azure website. You need to create a new secret and when you click save, immediately go and copy the secret and store it securely. This is the only time it is available from the Azure website.
I have tried to play encrypted video using token, video media source is Azure media cloud server, it works fine.
I have got solution to play encrypted video How to prevent play video using file path of window azure media server without login?
But further How to prevent access as saved content as HTML format offline because it has Authentication Token as well as Encrypted Smooth url?
There are few solutions(or combination) you can use utilizing token authentication capabilities in Azure Media services.
Integrating with Identity provider:
- You can integrate your video web app to use sign in JWT token obtained from one of identity providers. See example how to integrate with Azure active directory . You can restrict access to video only to users having specific group claims. In these set of scenarios you rely on token claims obtained from identity provider.Relying on identity provider gives you simplicity of not composing jwt and utilize predefined/configurable set of claims such as user group membership, geographic location and etc. Your video hosted in Azure Media Service will be playable until token will expire.
Generating and signing token within your app.
- If you generating tokens within your web app you can define token expiration to be comparable to video playback time length. You can have client side JavaScript event initiating a request to receive a jwt token from server before user clicks on playback. Once Jwt token received you can update your video player parameters with token .You have more flexibility in selecting set of jwt claims if your web application generates jwt token. For example you can generate authentication policies only for specific logged in user . In this scenarios saving html will not expose a token since it is obtained dynamically based on user actions.