The Wowza Video™ service can secure Wowza CDN on Fastly stream targets with token authentication. Token authentication protects streams by ensuring that they are accessed only by viewers who have the token. You can use token authentication to make the stream playback URL unavailable after a certain length of time, to limit access to approved IP addresses, or apply other restrictions. Token authentication prevents playback URLs from being shared by unauthorized links or player hijacking attacks.
Token authentication is disabled by default. To use it, enable it, test it, and then generate your own query parameters to secure the stream as you choose.
Before you start
You should complete the following tasks:
- Create a live stream or transcoder with a stream target you'd like to edit. View our Connect a source topics to learn how to create a live stream or transcoder for your source encoder or IP camera.
About token authentication
Token-based authentication uses a multipart token that consists of a delimited list of string fields. One field is an HMAC, or keyed-hash message authentication code. HMAC is a common mechanism for message authentication that uses cryptographic hash functions. The HMAC portion of the token hashes a trusted shared secret that you create in Wowza Video. It is short-lived and secures initial access to the stream.
The second part of the token, a cookie, is valid for the duration of the stream and protects segments that are delivered during playback. It restricts access to the stream according to query parameters that you specify. For example, you can expire the stream after a certain length of time or only let allowlisted IP addresses to access it.
You append the token to the stream target's playback URL, and then Wowza Video only lets viewers receive the content after it verifies the presence and validity of the token.
Token authentication is managed by the browser, and viewers' browsers must allow cookies in order for streams protected by token authentication to play.
Notes:
- Token authentication works with third-party players. It doesn't work with a player created in the Wowza Video live stream workflow and embedded in a hosted or third-party webpage.
- Third-party players must be configured to allow cross-site access control requests using credentials such as cookies.
1. Enable token authentication
To enable token authentication, start by creating a trusted shared secret, sometimes called a secret key or a password, in Wowza Video.
- Click Advanced on the menu bar, click Stream Targets, and then select the Wowza CDN on Fastly target that you want to secure.
- Click the Security tab of the target's detail page and then click Edit.
- Select Token Authentication.
- Enter a Shared Secret or click Generate Random Shared Secret.
The trusted shared secret must contain only hexadecimal characters (the digits 0 through 9 and/or the letters a through f). The length of the secret must be an even number of characters between 2 and 32.
- (Optional) Select Protect Playlist Only to protect the master playlist only and leave individual media playlists and media segments unprotected. This feature enables playback compatibility with media players that don’t support the withCredentials property. It may also be useful when addressing token auth compatibility issues with specific browsers.
Note: MPEG-DASH streams
- If you've enabled MPEG-DASH on your stream target, Protect Playlist Only applies to both the playlist.m3u8 for HLS and manifest.mpd for MPEG-DASH.
- If you're using MPEG-DASH with Protect Playlist Only enabled and set a time-to-live (TTL) for the token, the TTL must cover the duration of the stream. If it's shorter than the duration of the stream, playback will stop when the token expires.
- Click Save.
When token authorization is enabled, you can view the shared secret on the Security tab of the target detail page by clicking the show (eyeball) icon.
2. Generate query parameters
After authentication is enabled, generate query parameters to complete the token, and then append the query parameters to the stream target or VOD stream playback URL. The parameters allow access to the protected stream for a specified period of time.
Notes:
- Changing the trusted shared secret invalidates all existing tokens.
- We've provided a Wowza CDN on Fastly Token Authentication examples GitHub repository with some code examples for queries written in Ruby, Python, PHP, and JavaScript. You can use these samples to generate your own tokens for playback, or write your own query parameters.
- On the Security tab of the stream target detail page, enter the following details:
- Start Date – Specifies when protected access to the stream begins.
- End Date – Specifies when protected access to the stream ends. The End Date is required. The default value is +10 minutes from the current time.
- IP Address – Restricts the token to the specified IP address.
- VOD Stream ID – For use with VOD streams only. The eight-character ID of the VOD stream to which this token applies. The ID appears under the VOD stream name in the search results table on the VOD Streams tab.
- Click Generate Query Parameters.
- Append the generated query string to the stream target's playback URL, which you can find on the Setup tab of the stream target detail page.
For VOD streams, append the generated query string to the VOD stream's playback URL, which you can find on the VOD Stream Details page. You'll want to repeat this for each VOD stream.
- Start the live stream or transcoder and access the playback URLs.
Example HLS playback URL with token authentication
https://[subdomain].wowza.com/1/[stream_id]/[stream_name]/hls/live/playlist.m3u8?hdnts=exp=1578424041~hmac=0428782df32a8a8b91823889756d8084997cf45c58375d526dc9852808b35721