You can use Token Based Access Revocation BETA

Token Based Access Revocation ("access revocation") lets you generate a "blacklist" of specific Token Authentication tokens to block access requests that include them. This helps to prevent token sharing between end users.

How do I get access revocation?

  • You need to have it added to your contract. Work with your account representative ("rep") to ensure your contract includes the AdaptiveMediaDelivery::AccessRevocation_Trial product.
Note: You typically can't use access revocation if you have a custom Token Authentication scenario. A custom scenario is one that's set up by your account rep. It's outside of simply using the default scenarios you can define using settings in the Segmented Media Protection behavior. If you have a custom scenario, contact your account rep to see if you can use access revocation.

First, you need to create the tokens

Access revocation uses a specific value included in a token—its session_id. Use the process discussed in Generate the token and apply it to your content to define the token and extract its session_id value for use later in this process.

Next, you need to create a blacklist

You create a blacklist using the Access Revocation API. In this blacklist, you include "identifiers" that include the specific token to be revoked, as well as a time to live (TTL) for this revocation period. After this period tokens are "unrevoked" and can be used to access content. The API also lets you manage your identifiers as well as review your blacklists.

The process follows these basic steps:

Important: What's here is just a rough example of the API operations you need to use. See the Access Revocation API v1 documentation for specific details.
  1. Add a blacklist. You need the Akamai contract ID associated with your instances of access revocation. (Talk to your account rep.) And you need to define a name for the blacklist. Once you're done, review the response and make note of the name you set for the blacklist as well as the "id" that the API generates for it. (This is its "blacklistId.")
    POST /taas/v1/blacklist
    
    {
        "name": "Baseball-ws-2019",
        "contractId": "1-ABCDE"
    }    
  2. Revoke tokens. Include individual objects to house each identifier. An identifier consists of the session_id from a generated token to be revoked along with a TTL in seconds for the revocation.
    POST /taas/v1/blacklists/{blacklistId}/identifiers/add
    
    [
        {
            "id": "<session_id of a token to be blocked>",
            "durationSeconds": 18000
        },
        {
            "id": "<session_id of a token to be blocked>",
            "durationSeconds": 3600
        }
    ]
Note: A blacklist can contain a maximum of 25,000 identifier objects.

Finally, you need to enable the blacklist in Property Manager

You need to enable and configure the Token Authentication behavior as normal, but you need to ensure that you set the following, to enable access revocation and add your blacklist:

  • Enable Session-Id. Set Advanced Options to "On" and ensure that the Session-Id slider in the Field Carry-Over options is set to "Yes." This ensures that the session_id in the token in a request from an end user is reviewed against what you've set in your blacklist, to determine access.
  • Set Token Based Access Revocation options. Set these options as follows:
    • Set the Token Revocation slider to "On."
    • Select the Blacklist Name. Use this drop-down to select the blacklist you created using the API.