How to protect a Wowza CDN stream target with token authorization

Stream targets prepared by the Wowza Streaming Cloud™ service can be secured with token authorization. Token authorization protects streams by ensuring that they are accessed only by viewers who have the token. You can use token authorization to make the stream playback URL unavailable after a certain length of time, to limit access to approved IP addresses, or apply other restrictions. It prevents playback URLs from being shared by unauthorized links or player hijacking attacks.

Token authorization is disabled by default. To use it, enable it, test it, and then generate your own query parameters to secure the stream as you choose.

Contents


About token authorization
Enable token authorization
Test the authorization
Generate query parameters

About token authorization


Token-based authorization uses a multipart token that consists of a delimited list of string fields. One field is an HMAC, or keyed-hash message authentication code. HMAC is a common mechanism for message authentication that uses cryptographic hash functions. The HMAC portion of the token hashes a trusted shared secret that you create in Wowza Streaming Cloud. It is short-lived and secures initial access to the stream.

The second part of the token, a cookie, is valid for duration of stream and protects segments that are delivered throughout playback. It restricts access to the stream according to query parameters that you specify. For example, you can expire the stream after a certain length of time or only allow whitelisted IP addresses to access it.

You append the token to the stream target's playback URL, and then Wowza Streaming Cloud only lets viewers receive the content after it verifies the presence and validity of the token.

Token authorization is managed by the browser. No configuration is required for the player. However, token authorization requires that the viewer's browser supports cookies.

Notes:
  • Token authorization only works in Safari if the security preference Accept Cookies is set to Always. Otherwise, the protected stream can't be played.
     
  • Token authorization works with third-party players. It doesn't work with a player created in the Wowza Streaming Cloud live stream workflow and embedded in a hosted or third-party webpage.

Enable token authorization


To enable token authorization, start by creating a trusted shared secret, sometimes called a secret key or a password, in Wowza Streaming Cloud.

  1. Click Advanced on the menu bar, and then click Stream Targets.
     
  2. In the Stream Targets panel, select the Wowza CDN target that you want to secure.
     
  3. Click the Authorization tab of the target's detail page and then click Edit.
     
  4. Select Enabled.
     
  5. Enter a Trusted Shared Secret or click Generate Random Password.
    Trusted shared secrets must contain only hexadecimal characters (the digits 0 through 9 and/or the letters a through f). The length of the secret must be an even number of characters between 2 and 32.
     
  6. Click Save.

Wowza Streaming Cloud processes the setup request. When enabling or disabling token authorization, it may take a few minutes for the change to take effect even after Wowza Streaming Cloud indicates that authorization is successful.

When token authorization is enabled, you can view the trusted shared secret on the Authorization tab of the target detail page by clicking the show (eyeball) icon.

Test the authorization


After authorization is enabled, generate sample query parameters to complete and test the token. The sample parameters in Wowza Streaming Cloud allow access to the protected stream for 10 minutes. During that period, start the stream and access it by appending the sample parameters to the stream's playback URLs.

After the stream starts, the token allows access to the playback URLs for 24 hours. However, changing the trusted shared secret invalidates the token.

  1. On the Authorization tab of the stream target detail page, click Generate Query Parameters.
     
  2. Append the sample query string to the stream target's playback URLs, which you can find on the Setup tab of the stream target detail page.
     
  3. Within 10 minutes, start the stream or transcoder and access the playback URLs.

Example Apple HLS playback URL with token authorization

http://[wowza_streaming_cloud_domain].akamaihd.net/i/[streamname_angle]@[stream_id]/master.m3u8?hdnts=exp=1461972009~acl=/*~hmac=de43455a65009cbb538495e5bc70c9565a3c559406c0c7bc2a1cfeaff9344706

Example Adobe HDS playback URL with token authorization

http://[wowza_streaming_cloud_domain].akamaihd.net/z/[streamname_angle]@[stream_id]/manifest.f4m?hdnts=exp=1461972009~acl=/*~hmac=de43455a65009cbb538495e5bc70c9565a3c559406c0c7bc2a1cfeaff9344706

Generate query parameters


When authorization is configured and working, generate your own query parameters for your stream.

We've provided a .zip file with some code samples with queries written in Java, Perl, PHP, Ruby, and other languages. You can use these samples to generate your own tokens for playback, or write your own query parameters. Download query code samples.


Originally Published: 06-14-2016.
Updated: 09-08-2016.

If you're having problems or want to discuss this article, post in our forum.