Stream 来自 azure 媒体服务的授权视频,带有 duende 身份服务器
[英]Stream authorized video from azure media service with duende identity server
问题描述
I have the following constellation:
我有以下星座:
- Client: Angular + ngx videogular (I can switch to azure media player)客户端:Angular + ngx videogular(我可以切换到azure媒体播放器)
- Server: .Net 6 + duende Identity Server for user authentication and authorization (Identity server 4)服务器:.Net 6 + duende Identity Server 用于用户认证和授权(Identity server 4)
Client app and the server are published in azure as static and service app.客户端应用程序和服务器在 azure 中发布为 static 和服务应用程序。
The goal is to stream large videos (Videos on demand) with azure media service to certain authenticated and authorized users.目标是将 stream 大型视频(视频点播)与 azure 媒体服务提供给某些经过身份验证和授权的用户。
Example: User 1 can watch video A and B. User 2 can only watch video A.示例:用户 1 可以观看视频 A 和 B,用户 2 只能观看视频 A。
I have set media service v3 as it as described in microsoft pages and I was able to stream assets from azure media service (eg as HLS source:我已经按照 Microsoft 页面中的描述设置了媒体服务 v3,我能够从 azure 媒体服务中获取 stream 资产(例如作为 HLS 源:
Client:客户:
<video #videoElement #vgHls="vgHls" [vgHls]="hlsSource" [vgMedia]="$any(media)" #media [id]="videoId"
type="video/mp4" [autoplay]="false" preload="auto" crossorigin>
</video>
Server:服务器:
var configWrapper = new ConfigWrapper(configuration);
ServiceClientCredentials credentials;
credentials = await GetCredentialsInteractiveAuthAsync(configWrapper);
var client = new AzureMediaServicesClient(configWrapper.ArmEndpoint, credentials)
{
SubscriptionId = configWrapper.SubscriptionId,
};
var asset = await client.Assets.GetAsync(configWrapper.ResourceGroup, configWrapper.AccountName, "assetName");
var streamingLocators = await client.Assets.ListStreamingLocatorsAsync(configWrapper.ResourceGroup, configWrapper.AccountName, "assetName");
var locator = streamingLocators.StreamingLocators.FirstOrDefault();
IList<string> urls = await GetStreamingUrlsAsync(client, configWrapper.ResourceGroup, configWrapper.AccountName, locator.Name);
// return hlsUrl... It works for all users? (not only for authorized user?)
Now I don't want to enter the hls or dash sources in the client video player, but control the access rights in my api server.现在我不想在客户端视频播放器中输入 hls 或 dash 源,而是在我的 api 服务器中控制访问权限。
How can I create an "hls source" for an azure asset in rest api only for an authenticated and authorized user?如何仅为经过身份验证和授权的用户在 rest api 中为 azure 资产创建“hls 源”?
How can I secure the videos/assets with tokens only for authorized users?如何只为授权用户使用令牌来保护视频/资产?
1 个解决方案
解决方案1
0 2022-04-19 17:36:19
In your example code above, you are getting a "clear" unprotected, un-encrypted streaming locator from the AMS backend.在上面的示例代码中,您从 AMS 后端获得了一个“清晰的”未受保护、未加密的流定位器。
The credentials object you used above in your code - through interactive auth - is just the Azure credential assigned as Owner or Contributor role on the actual Media Services account for management operations (CRUD on entities, etc.) and has nothing to do with the streaming locator encryption, keys, or claims that allow the key delivery service to provide the decryption key to the client.您在上面的代码中使用的凭据 object - 通过交互式身份验证 - 只是在实际媒体服务帐户上分配为所有者或贡献者角色以进行管理操作(实体上的 CRUD 等)的 Azure 凭据,并且与流媒体无关允许密钥传送服务向客户端提供解密密钥的定位器加密、密钥或声明。 You only use the ServiceClientCredentials to "manage" and create things in the AMS account.您仅使用 ServiceClientCredentials 来“管理”和创建 AMS 帐户中的内容。 It does not have anything to do with streaming auth.它与流式验证没有任何关系。
For authentication and key delivery services, you should familiarize yourself with the concepts under Content Protection:对于身份验证和密钥传递服务,您应该熟悉内容保护下的概念:
Overview of content protection: https://learn.microsoft.com/en-us/azure/media-services/latest/drm-content-protection-concept内容保护概述: https://learn.microsoft.com/en-us/azure/media-services/latest/drm-content-protection-concept
Overview of using streaming policies: https://learn.microsoft.com/en-us/azure/media-services/latest/stream-streaming-policy-concept使用流策略概述: https://learn.microsoft.com/en-us/azure/media-services/latest/stream-streaming-policy-concept
There is a tutorial that walks through using Content protection with AAD as the backend: https://learn.microsoft.com/en-us/azure/media-services/latest/architecture-azure-ad-content-protection有一个教程介绍了使用 AAD 作为后端的内容保护: https://learn.microsoft.com/en-us/azure/media-services/latest/architecture-azure-ad-content-protection
Some Typescript samples showing how to create a Streaming Locator with a content key policy configured with custom "Claims" in a ContentKeyPolicyTokenClaim.一些 Typescript 示例展示了如何使用在 ContentKeyPolicyTokenClaim 中配置自定义“Claims”的内容密钥策略创建流式定位器。
You would need to design and build your own secure token service that authenticated your users and passed them the appropriate JWT token with claims that worked with the specific Streaming Locator and ContentKeyPolicy (with claims) that you configured on the backend of AMS.您需要设计和构建您自己的安全令牌服务,以对您的用户进行身份验证,并向他们传递适当的 JWT 令牌和声明,这些声明与您在 AMS 后端配置的特定 Streaming Locator 和 ContentKeyPolicy(带有声明)一起使用。 It's all a bit tricky to grasp, but if you look at some of the tutorials above and walk through them slowly the concepts come together.掌握起来有点棘手,但如果您查看上面的一些教程并慢慢浏览它们,概念就会融合在一起。 The key part is the JWT token and Claims that you assign to be used.关键部分是您指定要使用的 JWT 令牌和声明。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.