Secure HLS AES-128 key URI

925 views Asked by At

I encrypted video by HLS AES-128 by using the apple tool, below is my m3u8 file

#EXTM3U
#EXT-X-TARGETDURATION:10
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-PLAYLIST-TYPE:VOD
#EXT-X-KEY:METHOD=AES-128,URI="https://xxxxx.com/api/xxx/xxxxx/xxxxxxxxxxxx/xxxxxxx.key"
#EXTINF:10, 
#EXT-X-BITRATE:658
8ce9e1ef-4b15-4d22-b2dc-c7278757ffb5_0.ts
#EXTINF:10, 
#EXT-X-BITRATE:1798
8ce9e1ef-4b15-4d22-b2dc-c7278757ffb5_1.ts
#EXTINF:1,  
#EXT-X-BITRATE:620
8ce9e1ef-4b15-4d22-b2dc-c7278757ffb5_2.ts
#EXT-X-ENDLIST

The key URI is my API endpoint URL.. from the API I will be getting the key.

but whenever I copy-paste the key URI (https://xxxxx.com/api/xxx/xxxxx/xxxxxxxxxxxx/xxxxxxx.key) in the browser, the key gets downloaded.

how to pass header authorization whenever a player requests the key URI.

or is there is any way to secure the Key URI?

I am playing a video by Bitmovin player(Nodejs), can we pass the header authorization for the key request URI?

Thanks in advance.

1

There are 1 answers

0
Wolfram Hofmeister On

One common way of securing web APIs is to use JSON Web Tokens (JWTs) and to send them to the API using the Authorization HTTP request header.

As for the Bitmovin Player Web SDK (of which I am a developer), HTTP headers can be added to requests using the preprocessHttpRequest method of the Network API. For example, passing a JWT auth token to the API for HLS key requests could be done the following way:

const token = 'your-jwt-token';
const playerConfig = {
  key: 'your-key',
  network: {
    preprocessHttpRequest: (type, request) => {
      // Only add the `Authorization` header to HLS key requests
      if (type === bitmovin.player.HttpRequestType.KEY_HLS_AES) {
        // Add the `Authorization` header containing the JWT to the request
        request.headers['Authorization'] = 'Bearer ' + token;
      }

      return Promise.resolve(request);
    }
  }
};

const player = new bitmovin.player.Player(document.getElementById('player'), playerConfig);

You don't have to use JWTs - you can transmit arbitrary data to the API using the Authorization header. However, using JWTs is more secure as those tokens are usually generated by a trusted source (like Google's OpenID Connect) and are signed to prevent any modifications. If you want to use JWTs for authentication, your API would have to provide an endpoint to acquire them.