Generate License Acquisition URL
Last update:2024-01-02 10:46:35
Content
- Overview
- Step 1: Obtain an access token that allows calls to the Irdeto API
- Step 2: Create a session signing key to sign your license acquisition URL token
- Step 3: Create a session token using JSON Web Tokens (JWT)
- Step 4: Include the session token and content ID in license acquisition URL
- Test playback with encryption
Overview
When initiating the playback of a video protected by Digital Rights Management (DRM), the client is first required to obtain a DRM license. This license outlines the limitations on content playback, which can include an expiration date, regional restrictions, or device-specific constraints like High-bandwidth Digital Content Protection (HDCP).
Before you can use DRM, you first need to generate a license acquisition URL where users can obtain the license.
Here are the steps to generate a license acquisition URL:
- Obtain an access token that allows calls to the Irdeto API.
- Use the access token to create a session signing key for signing the session token.
- Create a session token using JSON Web Tokens (JWT).
- Add the session token and content ID as URL parameters to create the license acquisition URL.
Step 1: Obtain an access token that allows calls to the Irdeto API
The access token allows you to access Irdeto API and register your own signing key, which will be utilized to generate your license acquisition URL token in the following steps.
The access token permits access to the Irdeto API and allows you to register your own signing key, which you will use to generate your license acquisition URL token in the following steps.
Request Example
curl -X GET 'http://ca.haplat.net/wslive/drm/getToken.action?n={{portalId}}&r={{random}}&k={{auto_token}}' '
Ensure you provide the required Headers and Parameters for this call:
| Parameter/Header | Required | Description |
|---|---|---|
| n | Yes | Your account name. |
| r | Yes | A unique random string no longer than 13 characters. We recommend using a timestamp. |
| k | Yes | The MD5 authentication value. To obtain the value of k, append the apikey string to the end of the r string, then perform an MD5 calculation on the resulting string (k = md5(r + apikey)). For example, 1. Request and get apikey=012f37a3f2952 2. Randomly generate string r=1409284800 3. Append the apikey to the end of ‘r’, producing the string '1409284800012f37a3f2952’ 4. Calculate the MD5 hash of the new string to obtain the value of ‘k’, which is ‘b9fed80be752551834eec3e52fa94115’ |
Note: To use this API, you must first contact customer service to enable it and provide you with your
apikey.
Once your request is successfully processed by the API, it will deliver a response containing the necessary details. The response body may encompass numerous fields, one of which is the accessToken. This access token will be essential for proceeding with the subsequent steps.
{
"msg": {
"accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJEUkROVEl3TTBSRU1USXlPVVZCTURKRU56RkNNamRFUVVRM1JFUXlSRFE1T1VRMU1ESXlNUSJ9.eyJodHRwOi8vaXJkZXRvLmNvbS9yb2xlcyI6W3sic2VydmljZSI6IlJpZ2h0c05HIiwiYWNjb",
"expiresIn": 36000,
"tokenType": "Bearer"
},
"code": 200,
"callTime": "2023-04-20 15:42:53"
}
Please ensure that you store this token securely as it grants access to generate you license acquisition URL.
Step 2: Create a session signing key to sign your license acquisition URL token
A typical license acquisition URL might look like this:
https://wangsuusa.live.ott.irdeto.com/licenseServer/widevine/v1/wangsuusa/license?ls_session=eyJhbGciOiJIUzI1NiIs****&contentId=eae3246f8bb4dba67b6328e2b9656a5b
This URL includes a ls_session parameter, which signifies the session token. This token validates the client’s authorization to request the license. The session token is produced in a signed JWT format that necessitates a session signing key. Therefore, in order to generate the session token, you must first create the session signing key and register it with Irdeto Control.
Below is an example of generating a session signing key and registering it in Irdeto Control:
curl -X PUT \
'https://wangsuusa.live.ott.irdeto.com/ls/v1.1/wangsuusa/sessionSigningKeys/{sessionSigningKeyId}' \
-H 'Authorization: Bearer {access_token}' \
-H 'Content-Type: application/json' \
-d '{
"id": "testkey0412",
"displayName": "Example Session Signing Key",
"keyType": "sha256",
"keyData": "W1HCQPNg7PXlo4WZsGM5h5oZ3M2CaAkUMZ6AEzdLeaY=",
"validityStart": "2023-03-01T00:00:00.000Z",
"validityEnd": "2024-03-01T00:00:00.000Z"
}'
To submit a specific request, you will typically need to incorporate the fields and parameters listed below:
| Name | Type | Required | Description |
|---|---|---|---|
| sessionSigningKeyId | String(path) | Yes | ID of the session signing key, with the string length not exceeding 255 characters.Important: We strongly recommend using your CDNetworks account as the sessionSigningKeyId to prevent any ID conflicts or failures. |
| Authorization | Bearer Authentication (header) | Yes | The access token obtained in step1. |
| Content-Type | String (header) | Yes | application/json |
Additionally, ensure to incorporate the pertinent fields in the request body:
| Name | Type | Required | Description |
|---|---|---|---|
| id | string (255) | Yes | The unique identifier of the session signing key. Please note that the id should be identical to the sessionSigningKeyId in request path. |
| displayName | string (255) | No | Display name of the key. If not specified, the key will be displayed as “default”. |
| keyType | string | Yes | Support below key types:- sha256: HS256 algorithm- rsa2048: RSA-2048 public key- rsa4096: RSA-4096 public key |
| keyData | string | Yes | The key data.- keyType sha256: a 32-byte key that is base64-encoded to sign the session tokens using the HS256 algorithm.- keyType rsa2048 and rsa4096: the key to to sign the session tokens with RS256 or RS512 algorithm. |
| validityStart | datetime(ISO8601) | Yes | The timestamp indicating when the key becomes valid. For example: 2023-01-01T00:00:00Z |
| validityEnd | datetime(ISO8601) | Yes | The timestamp indicating when the key is no longer valid.For example: 2023-12-31T23:59:59Z |
Once your request is successfully processed, your session signing key will be acknowledged and registered in Irdeto Control. This key will be used for signing and verifying your session token.
Step 3: Create a session token using JSON Web Tokens (JWT)
As mentioned in step 2, in order to authenticate the identity,
As outlined in step 2, a Session Token must be included in the license acquisition URL to authenticate the identity. The license is provided to clients that successfully authenticate, whereas mismatched session tokens will inhibit access to licenses.
In Irdeto Control, session tokens are recognized as signed JWTs (RFC 7519), comprised of three elements: the header, the payload, and the signature.
- Header:
–alg: Specifies the algorithm used for signing.
–typ: Defines the token type, which should consistently be set to the value ofJWT.
–kid: The ID of the session signing key generated in step 2. - Payload:
–jti: A unique JWT ID used to identify the session token and prevent collisions with other tokens.
–sub: Represents the user ID, which should always be set to_authenticated.
–aid: Indicates the account ID, which should consistently be set towangsuusa.
–iss: The issuer, which should always be set toIrdetoControlHandsOn.
–ent: An array of user entitlements, incorporating theepidentitlement policy ID and your CDNetworks account namebid. - Signature: This is a string produced by a cryptographic algorithm to verify the integrity of the JSON payload. It is calculated as follows:
base64UrlEncode(HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), your signing key))
Understanding the Entitlement Policy
An Entitlement Policy outlines the specific terms and conditions that define how and when access to particular content is granted. For instance, it may specify:
– The validity terms and geographical restrictions of an entitlement.
– The security prerequisites that a consumer’s device or player application needs to meet.
– The maximum number of concurrent streams allowed for a single consumer.
.jpg)
Below is an example value of session token:
Header
{
"alg": "HS256",
"typ": "JWT",
"kid": "testkey0412"
}
Payload
{
"jti": "VbY_HmmLmyut8geag52f11KiCnZ8ZzFcYtiB3H3jIbw=",
"sub": "_authenticated",
"aid": "wangsuusa",
"ent": [
{
"epid": "anonymous-entitlement-policy",
"bid": "linxf"
}
],
"iat": 1681296770,
"exp": 1682851970,
"iss": "IrdetoControlHandsOn"
}
There are many online JWT generators that facilitate the creation of JWT tokens with ease. The following screenshot shows the process of generating a session token using the online tool found at jwt.io.
To effectively utilize this tool, please ensure to:
- Choose the preferred signing algorithm.
- Input the Header and Payload in JSON format.
- Insert your session signing key in the specified field and check the
secret base64 encodedbox.
Once you’ve input both the header and payload on the right side, the resulting JWT token will be generated and displayed for you in the left box:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3RrZXkwNDEyIn0.eyJqdGkiOiJWYllfSG1tTG15dXQ4Z2VhZzUyZjExS2lDblo4WnpGY1l0aUIzSDNqSWJ3PSIsInN1YiI6Il9hdXRoZW50aWNhdGVkIiwiYWlkIjoid2FuZ3N1dXNhIiwiZW50IjpbeyJlcGlkIjoiYW5vbnltb3VzLWVudGl0bGVtZW50LXBvbGljeSIsImJpZCI6ImxpbnhmIn1dLCJpYXQiOjE2ODEyOTY3NzAsImV4cCI6MTY4Mjg1MTk3MCwiaXNzIjoiSXJkZXRvQ29udHJvbEhhbmRzT24ifQ.aXg6alLfnl7gm3ye3XBQTPQl5M0Mc4IsID_IIkyYGhg
Step 4: Include the session token and content ID in license acquisition URL
Having generated the session token in previous steps, the final task is to formulate the license acquisition URL. The structure of this URL is dictated by the DRM system in use. Below are the standard URLs for PlayReady, FairPlay Streaming, and Widevine:
URL
The format of the license acquisition URL varies based on the DRM system:
- PlayReady:
https://wangsuusa.live.ott.irdeto.com/licenseServer/playReady/v1/wangsuusa/license - FairPlay Streaming:
skd://wangsuusa.live.ott.irdeto.com/licenseServer/fairPlayStreaming/v1/wangsuusa/license - Widevine:
https://wangsuusa.live.ott.irdeto.com/licenseServer/widevine/v1/wangsuusa/license
contentId
The contentId parameter symbolizes your content ID, which is computed by deriving the MD5 value of your domain, application name, and stream name. For example, if your stream is situated at https://drmtest-pull.cdnetworks.com/live/drmtest.mpd, the corresponding content ID would be:
MD5(drmtest-pull.cdnetworks.com/live/drmtest)=d8c1d35c93df672a61c735487a145064
ls_session
The ls_session parameter signifies your session token from Step 3. Upon obtaining the URL, contentId, and ls_session, you can combine them to construct the license acquisition URL.
Here’s an example of the license acquisition URL for Widevine:
https://wangsuusa.live.ott.irdeto.com/licenseServer/widevine/v1/wangsuusa/license?contentId=d8c1d35c93df672a61c735487a145064?ls_session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3RrZXkwNDEyIn0.eyJqdGkiOiJWYllfSG1tTG15dXQ4Z2VhZzUyZjExS2lDblo4WnpGY1l0aUIzSDNqSWJ3PSIsInN1YiI6Il9hdXRoZW50aWNhdGVkIiwiYWlkIjoid2FuZ3N1dXNhIiwiZW50IjpbeyJlcGlkIjoiYW5vbnltb3VzLWVudGl0bGVtZW50LXBvbGljeSIsImJpZCI6ImxpbnhmIn1dLCJpYXQiOjE2ODEyOTY3NzAsImV4cCI6MTY4Mjg1MTk3MCwiaXNzIjoiSXJkZXRvQ29udHJvbEhhbmRzT24ifQ.aXg6alLfnl7gm3ye3XBQTPQl5M0Mc4IsID_IIkyYGhg
Test playback with encryption
Widevine & PlayReady playback test
To verify the playback of Widevine and PlayReady, you will require a test player, an MPEG-DASH playback URL, and a license acquisition URL. In this instance, we will be utilizing the Bitmovin demo player for testing purposes.
Throughout the playback process, a license request is automatically initiated once the encrypted content is loaded into the player. The playback will only commence after the player has successfully procured the necessary license.
For optimal results, we highly recommend testing Widevine on Google Chrome and PlayReady on Microsoft Edge.