I want to upload a photo from an HTML form post to an Azure Mobile Service written in C#. The issue is that I need to check a security token as well. All of the sample code that I have seen involves uploading to Blob Storage, but I don't want to do that - I need to process the image.
Ideally, I would have a method signature something like this:
void PostMyPicture(string token, byte[] image)
but that method doesn't get dispatched to. I confirmed with Fiddler that the post is happening correctly.
You should use Blob storage because images use a lot of traffic and Azure Mobile Services as a limit of size in the requests. I think will be hard to find sample using AMS that do what you want, but maybe you use a solution for WebAPI that works in AMS.
Related
Is there a alternative for the Microsoft Azure C# API. I want to download files from blob urls but a microsoft azure storage account is not for free, so I cannot use it. So is there any other API or way to download blobs?
Example for Blob-Url: blob:https://flex.aniflex.org/afbf9776-76ea-47dc-9951-2fadafc3adff
Caution: I'm not the hoster of the file. So I don't want to download the file from my own storage account.
#kaskorian I guess you're referring to browsers file blobs...Blob URL/Object URL is a pseudo protocol to allow Blob and File objects to be used as URL source for things like images, download links for binary data and so forth.
Blob URLs can only be generated internally by the browser. URL.createObjectURL() will create a special reference to the Blob or File object which later can be released using URL.revokeObjectURL(). These URLs can only be used locally in the single instance of the browser and in the same session (ie. the life of the page/document).
For example, you can not hand an Image object raw byte-data as it would not know what to do with it. It requires for example images (which are binary data) to be loaded via URLs. This applies to anything that require an URL as source. Instead of uploading the binary data, then serve it back via an URL it is better to use an extra local step to be able to access the data directly without going via a server.
I have a Xamarin.Forms app that uses the Azure SDK, Easy Tables etc. for the bulk of its work. I also have a separate Azure Media Service which hosts and streams video to this app.
The video contains material that is organization-specific, and should not be accessible in any other way than through the app. There is no Azure AD or anything to rely on for authentication, it's as simple as "if client is the app, it can see the video."
What is the simplest way to lock this down in the way I described? Can I do it via the App Service or via Media Service settings somehow?
Take a look into https://learn.microsoft.com/en-us/azure/media-services/media-services-rest-configure-asset-delivery-policy. It describe how you can restrict delivery of asset.
Assume you have dynamically encrypted media asset served through your mobile app. In order to play your video, video player need to fetch content key. You can configure through code who will be able to get content key to decrypt content. Your app will issue JWT token with required set of claims and Azure media service wil validate this token and will return key for player.
Article http://gtrifonov.com/2015/01/03/jwt-token-authentication-in-azure-media-services-and-dynamic-encryption/ describe this flow in more details.
I'm trying to create an elearning system that has videos associated with lessons. When a user gets to a lesson a video needs to play. The videos should not play unless I authenticate that the user can play that video and can play it right now. I'm trying to accomplish this using the azure video player.
I can make this work with azure media services without encryption without issue.
However when I go to do the encryption, the samples are VERY week.
What I'm trying to do is encrypt the video so that it can play on all browsers and have everything that the azure video player needs.
Further, at the time that the user requests to play the video I want to use their authentication with our website to determine if the video should play, and then set the token on the media services.
I would have expected that media services would use oAuth 2 and I could point it at our endpoint with a specific claim required for the specific video the user requested and I would return an auth token or not. But it appears to work backwards from this.
So I've done the following:
Gone into the classic portal (because apparently this hasn't been updated to either use the new portal or the new way of doing storage...)
Created the Media Services account.
Gone to content protection as as best as I can figure from the videos enter Type token for both and json web token.
Under issuer for aes and playready I've put in the path to our oAuth provider, but I"m not at all sure what this should be and I can't find any documentation that explains what this should be.
Scope: Under ae, the samples have something similar to urn:Portal but under playready this has to be a full URI, which I can't figure out what's supposed to be there.
I created the verification keys for both types
I have no idea what to put in claims or how this is relevant.
License type = non-persistent
Passing Video Content to Unknown Outputs I have set to Allowed. I don't know what allowed with constriction does or how it should be setup.
Allow test devices is enabled for now.
Then in my encoding stuff I've put in the following after creating the asset from samples:
//Add encryption
var key = CreateEnvelopeTypeContentKey(context, finalAsset);
var tokenTemplateString = AddTokenRestrictedAuthorizationPolicy(context, key, audience, issuer);
CreateAssetDeliveryPolicy(context, finalAsset, key);
var tokenTemplate = TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString);
var rawKey = EncryptionUtils.GetKeyIdAsGuid(key.Id);
string testToken = TokenRestrictionTemplateSerializer.GenerateTestToken(tokenTemplate, null, rawKey);
But if I try and enable this stuff to get playready, wildvine AND BaselineHttp it all blows up and I cannot find examples of all 3 (which appear to be required for Chrome, Firefox and IE/Edge to work reliably) enabled and working in the code as you'd expect. (note the methods called above are directly from the samples)
Further I can't figure out how to use the verification keys from the portal in this code because I can't find any samples on this.
And presumably this sets up the asset to have it's own authentication. Although I can't tell. But what I want and need to do is have each asset be separately authentication by the asset and by the user and not have the bearer token be usable anywhere else.
At this point I'm completely lost, because the only code I can find to generate the JWT is the test stuff which obviously shouldn't be used in production.
What I'm looking for is code that doesn't use Azure AD and allows me to do my own, so that when a user wants to watch a video, they come to me, I say, yup, you're good, here's your token just for you and only you and no one else that is created just for you in C# in my web api that returns the token in the json response.
Then I want to set it in the security credentials (and put all of the permutations in!) so that it will just work on the browser in question (ie, edge, firefox, chrome, safari) and the player sends that along with the rest and the video just plays no matter what browser.
But since I can neither encrypt the video with the right keys, nor encrypt it for all permutations based on the samples nor find any example of creating the JTW properly based on the shared keys and whatever I need to store in my database based on the encryption process I'm stuck.
So is there a sample somewhere that takes you through this full process to make this work in any web browser when done and generate the encryption for all of them, and the token for the client on a per issue basis?
If not, can someone help answer these questions?
And if this is MS watching this, I'd suggest that you consider giving us the ability to have just the single url in the client, and pass our oAuth2 bearer token (not yours) and have you use that to single sign on with us, and demand a claim passing the asset id and getting a yea/nea to play the video with a timespan their authorized to play it on the specific client involved. If this is possible now, please provide a full sample or instructions on how this can be accomplished because it's very not clear at this point and everything is geared to AD which isn't useful and there are a ton of missing pieces.
Ultimately, I need to be able to live stream this content on the web and on mobile clients AND be able to download this content encrypted and play it on those same mobile clients offline but still encrypted and locked down. Those last pieces I don't have a clue how to do at this point and I can't find any documentation on either, but I'll ask that separately.
Thanks!
Bonus Reading
Resources found that are relevant but don't answer the question or only partially answer the question and break other parts:
Configure asset delivery policies with .NET SDK 🕗
Use AES-128 dynamic encryption and the key delivery service 🕗
Azure Media Player - Protected Content 🕗
Azure Media Player - Playback Technology ("Tech") 🕗
How to make Token authorized AES encrypted HLS stream working in Safari 🕗
Integrate Azure Media Services OWIN MVC based app with Azure Active Directory 🕗 (this one appears to be the closest but I've been unable to decouple it from Azure AD)
We don't have lot of samples to build customized Security Token Service (STS), because each business may have its own requirements and lots of customers are doing integration work (i.e. they already have a token issuer service).
As said, I am happy to help you to complete your workflow. You can email me at yanmf#microsoft.com and I could have a call to troubleshoot your workflow.
Cheers,
Mingfei Yan
Im trying to figure out how to retrieve images from a web service that is connected to azure thats has the images stored as blob.. i just want to be pointed in the right direction, sure if some one have a code example that will be really helpful aswell!
I have not tried any code yet just used google, youtube to find a good example... but no luck.. :/
I can store the images in a folder with the web service if that is easier?
Blobs are accessible using standard URLs. You may need a Shared Access Signature to access the file on a private blob.
I can point you in this direction:
https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-how-to-use-blobs/
https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/
Your service should do this (if I understand your need):
Create an output stream
Create in an input stream to a blob object and accessed using a SAS
Connect output stream with input stream
There are plenty of examples around for doing this...
I have an image upload application (C# desktop) for end users and I want to switch to the cloud(storage)(the VPS is to expensive and unlimited hosting providers don't allow image hosting scripts).
In order to do that I need to embed the login credentials inside my application (delivered to the end users) and maybe update them according to changes. So it's not a solution to me because of security reasons (cracking and upload things that aren't images).
One solution would be to host a PHP script so that my application uploads to that script (check if it's a image) and than to re-upload that image to the cloud storage. The problem is, I use the double bandwidth.
Is there any cloud hosting model that enables me that (without paying the double bandwidth or additional fees for running the PHP application or other thenology) or how to "hide" the creditals?
I have about 5000 uniqe visitors a day with about 70 users online in each moment (google analytics). I am offering a free service in a free app without adds so i have no earnings and i would really try to keep it like that with minimal hosting costs :(
Try out Google App Engine and Blobstore. It's relatively easy to use (sorry, no PHP support tho!) and is free up to a specified limit, so you can develop without having to spend.
https://developers.google.com/appengine/docs/python/blobstore/overview
How it works:
Your C# app GETs to a short Python script that simply returns a URL
that contains a random key (that Google gives your Python script)
Your C# app POSTs to that URL using an appropriate mime type.
Your C# app will be redirected to a final URL once the upload
completes. That URL will again be a Python script, which will
then record the uploaded URL (and any metadata) to prevent it from becoming orphaned.
Another advantage of using Google App Engine is that they offer image transforms (crop, scale) that will be handled on their end -- allowing you to ask for thumbnails, for example, without having to download the full sized image first.
For step 3, you could record the URL (really just the blobstore entry ID) to your main application. The point is: you don't want to lose that random key because that's the only way of retrieving the image file.