Using Token Authorization

To enable Token Authorization protection for your player and content, do the following.

How to

  1. Create a configuration and a stream with Token Authorization enabled (see Create a configuration).
  2. Inform your Account Representative that you wish to activate Token Authorization protection for your network for the Adobe Flash Platform content. This ensures that the server side is correctly configured.
  3. Your Account Representative will provide you sample server-side scripts that you run to generate a token service. These scripts are available in all the common server-side languages (ASP, Perl, PHP, and Oracle® Java® languages). There will be a shared secret (and an optional salt) that both Media Services Live and your service code share.
  4. The service should apply whatever business logic your application needs to validate a specific user. For example, it could require a session cookie to be present in the request, which indicates that the user is authenticated in a portal or login gateway. It could also carry an explicit token that you hand to the player upon instantiation. You can filter by IP address if you want to authorize use solely within a company LAN.
  5. After the Web service is built, you must create an ActionScript class that calls it. This class must implement the ITokenService interface. This interface requires the class to offer up a requestTokenizedURL()method, which the HDNetStream class uses to request a tokenized URL and then two callback functions to call on both success and error.
  6. In your player, you set the requiresEdgeAuth property to true before calling play().
  7. In the player, you also instantiate an instance of this TokenService class and register it with the HDNetStream prior to the calling play(). This registration is done by setting the tokenService property to the token service instance you just created.
  8. The first time you call play() for an asset, the HDNetStream class generates the exact URL request and then calls the requestTokenizedURL() method on your token service. Your token service class calls your token service and receives a token. If it is successful, it calls back the callBackFunctionOnSuccess function that the HDNetStream defined. If it has a problem, then it calls back the callBackFunctionOnFailure function.
  9. Assuming success, the HDNetStream class hands the Token Authorization token to the Edge server. If that token is validated, playback continues indefinitely. If the token is rejected, the Edge server disconnects the delivery session immediately.
    Token Authorization has this construct because authorization tokens might be required at any time during playback, not only at the beginning. This is because the Edge server has a short timeout period of only 120 seconds. If you pause the player for more than 120 seconds, the HTTP connection times out. The HDNetStream detects this and makes a new play() request to continue playback. To do so, it needs to request fresh Token Authorization tokens from your service.