配置内容密钥授权策略Configure a content key authorization policy

Note

Google Widevine 内容保护服务目前在 Azure 中国区域不可用。Google Widevine content protection services are currently unavailable in the Azure China regions.

概述Overview

可以使用 Azure 媒体服务传送受高级加密标准 (AES)(使用 128 位加密密钥)或受 PlayReady 数字版权管理 (DRM) 保护的 MPEG-DASH 流、平滑流式处理流和 HTTP 实时流式处理 (HLS) 流。You can use Azure Media Services to deliver MPEG-DASH, Smooth Streaming, and HTTP Live Streaming (HLS) streams protected with the Advanced Encryption Standard (AES) by using 128-bit encryption keys or PlayReady digital rights management (DRM). PlayReady 是按通用加密 (ISO/IEC 23001-7 CENC) 规范加密的。PlayReady is encrypted per the common encryption (ISO/IEC 23001-7 CENC) specification.

媒体服务还提供了一个密钥/许可证传送服务,客户端可从中获取 AES 密钥或 PlayReady 许可证,以用于播放加密的内容。Media Services also provides a key/license delivery service from which clients can obtain AES keys or PlayReady licenses to play the encrypted content.

如果希望媒体服务对某个资产进行加密,则需要将加密密钥(CommonEncryption 或 EnvelopeEncryption)与该资产相关联。If you want Media Services to encrypt an asset, you need to associate an encryption key (CommonEncryption or EnvelopeEncryption) with the asset. 有关详细信息,请参阅使用 .NET 创建内容密钥For more information, see Create ContentKeys with .NET. 还需要配置密钥的授权策略(如本文中所述)。You also need to configure authorization policies for the key (as described in this article).

当播放器请求流时,媒体服务将使用指定的密钥通过 AES 或 DRM 加密来动态加密内容。When a stream is requested by a player, Media Services uses the specified key to dynamically encrypt your content by using AES or DRM encryption. 为解密流,播放器从密钥传送服务请求密钥。To decrypt the stream, the player requests the key from the key delivery service. 为了确定用户是否被授权获取密钥,服务将评估你为密钥指定的授权策略。To determine whether the user is authorized to get the key, the service evaluates the authorization policies that you specified for the key.

媒体服务支持通过多种方式对发出密钥请求的用户进行身份验证。Media Services supports multiple ways of authenticating users who make key requests. 内容密钥授权策略可以有一个或多个授权限制。The content key authorization policy can have one or more authorization restrictions. 选项为“开放”或“令牌限制”。The options are open or token restriction. 令牌限制策略必须附带由安全令牌服务 (STS) 颁发的令牌。The token-restricted policy must be accompanied by a token issued by a security token service (STS). 媒体服务支持采用简单 Web 令牌 (SWT) 格式和 JSON Web 令牌 (JWT) 格式的令牌。Media Services supports tokens in the simple web token (SWT) format and the JSON Web Token (JWT) format.

媒体服务不提供 STS。Media Services doesn't provide STS. 可以创建自定义 STS 或使用 Azure 访问控制服务来颁发令牌。You can create a custom STS or use Azure Access Control Service to issue tokens. 必须将 STS 配置为创建令牌,该令牌使用指定密钥以及在令牌限制配置中指定的颁发声明进行签名(如本文所述)。The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration (as described in this article). 如果令牌有效,并且令牌中的声明与为内容密钥配置的声明相匹配,则媒体服务密钥传送服务会将加密密钥返回到客户端。If the token is valid and the claims in the token match those configured for the content key, the Media Services key delivery service returns the encryption key to the client.

有关详细信息,请参阅以下文章:For more information, see the following articles:

需要注意的一些事项Some considerations apply

  • 创建媒体服务帐户后,一个处于“已停止”状态的默认流式处理终结点会添加到帐户。When your Media Services account is created, a default streaming endpoint is added to your account in the "Stopped" state. 若要开始流式传输内容并利用动态打包和动态加密,流式处理终结点必须处于“正在运行”状态。To start streaming your content and take advantage of dynamic packaging and dynamic encryption, your streaming endpoint must be in the "Running" state.
  • 资产必须包含一组自适应比特率 MP4 或自适应比特率平滑流文件。Your asset must contain a set of adaptive bitrate MP4s or adaptive bitrate Smooth Streaming files. 有关详细信息,请参阅对资产进行编码For more information, see Encode an asset.
  • 使用 AssetCreationOptions.StorageEncrypted 选项上传资产并对其进行编码。Upload and encode your assets by using the AssetCreationOptions.StorageEncrypted option.
  • 如果打算创建需要相同策略配置的多个内容密钥,建议创建单个授权策略,并将其重复用于多个内容密钥。If you plan to have multiple content keys that require the same policy configuration, we recommend that you create a single authorization policy and reuse it with multiple content keys.
  • 密钥传送服务将 ContentKeyAuthorizationPolicy 及其相关对象(策略选项和限制)缓存 15 分钟。The key delivery service caches ContentKeyAuthorizationPolicy and its related objects (policy options and restrictions) for 15 minutes. 可以创建 ContentKeyAuthorizationPolicy 并指定使用令牌限制,对其进行测试,然后更新策略以开放限制。You can create ContentKeyAuthorizationPolicy and specify to use a token restriction, test it, and then update the policy to the open restriction. 在策略切换到策略的开放版本之前,此过程需要花费大约 15 分钟。This process takes roughly 15 minutes before the policy switches to the open version of the policy.
  • 如果添加或更新资产的传送策略,则必须删除现有的定位符并创建新的定位符。If you add or update your asset's delivery policy, you must delete any existing locator and create a new locator.
  • 目前,无法对渐进式下载进行加密。Currently, you can't encrypt progressive downloads.
  • 媒体服务流式处理终结点将预检响应中 CORS 的“Access-Control-Allow-Origin”标头的值设置为通配符“*”。A Media Services streaming endpoint sets the value of the CORS 'Access-Control-Allow-Origin' header in preflight response as the wildcard '*'. 此值适用于大多数播放器,其中包括 Azure Media Player、Roku、JWPlayer 等。This value works well with most players, including Azure Media Player, Roku and JWPlayer, and others. 但是,这不适用于一些使用 dashjs 的播放器,因为将凭据模式设置为“包含”之后,dashjs 中的 XMLHttpRequest 不允许将通配符“*”作为“Access-Control-Allow-Origin”的值。However, some players that use dashjs don't work because, with the credentials mode set to "include", XMLHttpRequest in their dashjs doesn't allow the wildcard "*" as the value of 'Access-Control-Allow-Origin'. 作为 dashjs 中这一限制的解决办法,如果将客户端承载在单个域中,则媒体服务可以指定预检响应标头中的域。As a workaround to this limitation in dashjs, if you host your client from a single domain, Media Services can specify that domain in the preflight response header. 若需帮助,请通过 Azure 门户开具支持票证。For assistance, open a support ticket through the Azure portal.

AES-128 动态加密AES-128 dynamic encryption

开放限制Open restriction

开放限制意味着系统会将密钥传送到发出密钥请求的任何用户。Open restriction means the system delivers the key to anyone who makes a key request. 此限制可能适用于测试用途。This restriction might be useful for testing purposes.

以下示例创建开放授权策略,并将其添加到内容密钥:The following example creates an open authorization policy and adds it to the content key:

    static public void AddOpenAuthorizationPolicy(IContentKey contentKey)
    {
        // Create ContentKeyAuthorizationPolicy with Open restrictions
        // and create authorization policy
        IContentKeyAuthorizationPolicy policy = _context.
        ContentKeyAuthorizationPolicies.
        CreateAsync("Open Authorization Policy").Result;
        
        List<ContentKeyAuthorizationPolicyRestriction> restrictions =
            new List<ContentKeyAuthorizationPolicyRestriction>();

        ContentKeyAuthorizationPolicyRestriction restriction =
            new ContentKeyAuthorizationPolicyRestriction
            {
                Name = "HLS Open Authorization Policy",
                KeyRestrictionType = (int)ContentKeyRestrictionType.Open,
                Requirements = null // no requirements needed for HLS
            };

        restrictions.Add(restriction);

        IContentKeyAuthorizationPolicyOption policyOption =
            _context.ContentKeyAuthorizationPolicyOptions.Create(
            "policy", 
            ContentKeyDeliveryType.BaselineHttp, 
            restrictions, 
            "");

        policy.Options.Add(policyOption);

        // Add ContentKeyAuthorizationPolicy to ContentKey
        contentKey.AuthorizationPolicyId = policy.Id;
        IContentKey updatedKey = contentKey.UpdateAsync().Result;
        Console.WriteLine("Adding Key to Asset: Key ID is " + updatedKey.Id);
    }

令牌限制Token restriction

本部分介绍如何创建内容密钥授权策略,以及如何将其与内容密钥相关联。This section describes how to create a content key authorization policy and associate it with the content key. 授权策略描述了必须达到什么授权要求才能确定用户是否有权接收密钥。The authorization policy describes what authorization requirements must be met to determine if the user is authorized to receive the key. 例如,“验证密钥”列表是否包含为令牌签名时使用的密钥?For example, does the verification key list contain the key that the token was signed with?

若要配置令牌限制选项,需要使用 XML 来描述令牌的授权要求。To configure the token restriction option, you need to use an XML to describe the token's authorization requirements. 令牌限制配置 XML 必须符合以下 XML 架构:The token restriction configuration XML must conform to the following XML schema:

#### Token restriction schema
    <?xml version="1.0" encoding="utf-8"?>
    <xs:schema xmlns:tns="http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1" elementFormDefault="qualified" targetNamespace="http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1" xmlns:xs="https://www.w3.org/2001/XMLSchema">
      <xs:complexType name="TokenClaim">
        <xs:sequence>
          <xs:element name="ClaimType" nillable="true" type="xs:string" />
          <xs:element minOccurs="0" name="ClaimValue" nillable="true" type="xs:string" />
        </xs:sequence>
      </xs:complexType>
      <xs:element name="TokenClaim" nillable="true" type="tns:TokenClaim" />
      <xs:complexType name="TokenRestrictionTemplate">
        <xs:sequence>
          <xs:element minOccurs="0" name="AlternateVerificationKeys" nillable="true" type="tns:ArrayOfTokenVerificationKey" />
          <xs:element name="Audience" nillable="true" type="xs:anyURI" />
          <xs:element name="Issuer" nillable="true" type="xs:anyURI" />
          <xs:element name="PrimaryVerificationKey" nillable="true" type="tns:TokenVerificationKey" />
          <xs:element minOccurs="0" name="RequiredClaims" nillable="true" type="tns:ArrayOfTokenClaim" />
        </xs:sequence>
      </xs:complexType>
      <xs:element name="TokenRestrictionTemplate" nillable="true" type="tns:TokenRestrictionTemplate" />
      <xs:complexType name="ArrayOfTokenVerificationKey">
        <xs:sequence>
          <xs:element minOccurs="0" maxOccurs="unbounded" name="TokenVerificationKey" nillable="true" type="tns:TokenVerificationKey" />
        </xs:sequence>
      </xs:complexType>
      <xs:element name="ArrayOfTokenVerificationKey" nillable="true" type="tns:ArrayOfTokenVerificationKey" />
      <xs:complexType name="TokenVerificationKey">
        <xs:sequence />
      </xs:complexType>
      <xs:element name="TokenVerificationKey" nillable="true" type="tns:TokenVerificationKey" />
      <xs:complexType name="ArrayOfTokenClaim">
        <xs:sequence>
          <xs:element minOccurs="0" maxOccurs="unbounded" name="TokenClaim" nillable="true" type="tns:TokenClaim" />
        </xs:sequence>
      </xs:complexType>
      <xs:element name="ArrayOfTokenClaim" nillable="true" type="tns:ArrayOfTokenClaim" />
      <xs:complexType name="SymmetricVerificationKey">
        <xs:complexContent mixed="false">
          <xs:extension base="tns:TokenVerificationKey">
            <xs:sequence>
              <xs:element name="KeyValue" nillable="true" type="xs:base64Binary" />
            </xs:sequence>
          </xs:extension>
        </xs:complexContent>
      </xs:complexType>
      <xs:element name="SymmetricVerificationKey" nillable="true" type="tns:SymmetricVerificationKey" />
    </xs:schema>

配置令牌限制策略时,必须指定主验证密钥、颁发者和受众参数。When you configure the token-restricted policy, you must specify the primary verification key, issuer, and audience parameters. 主验证密钥包含为令牌签名时使用的密钥。The primary verification key contains the key that the token was signed with. 颁发者是颁发令牌的 STS。The issuer is the STS that issues the token. 受众(有时称为范围)描述该令牌的意图,或者令牌授权访问的资源。The audience (sometimes called scope) describes the intent of the token or the resource the token authorizes access to. 媒体服务密钥交付服务会验证令牌中的这些值是否与模板中的值匹配。The Media Services key delivery service validates that these values in the token match the values in the template.

使用用于 .NET 的媒体服务 SDK 时,可以使用 TokenRestrictionTemplate 类来生成限制令牌。When you use the Media Services SDK for .NET, you can use the TokenRestrictionTemplate class to generate the restriction token. 以下示例创建包含令牌限制的授权策略。The following example creates an authorization policy with a token restriction. 在此示例中,客户端必须出示令牌,其中包含:签名密钥 (VerificationKey)、令牌颁发者和必需的声明。In this example, the client must present a token that contains a signing key (VerificationKey), a token issuer, and required claims.

    public static string AddTokenRestrictedAuthorizationPolicy(IContentKey contentKey)
    {
        string tokenTemplateString = GenerateTokenRequirements();

        IContentKeyAuthorizationPolicy policy = _context.
                                ContentKeyAuthorizationPolicies.
                                CreateAsync("HLS token restricted authorization policy").Result;

        List<ContentKeyAuthorizationPolicyRestriction> restrictions =
                new List<ContentKeyAuthorizationPolicyRestriction>();

        ContentKeyAuthorizationPolicyRestriction restriction =
                new ContentKeyAuthorizationPolicyRestriction
                {
                    Name = "Token Authorization Policy",
                    KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
                    Requirements = tokenTemplateString
                };

        restrictions.Add(restriction);

        //You could have multiple options 
        IContentKeyAuthorizationPolicyOption policyOption =
            _context.ContentKeyAuthorizationPolicyOptions.Create(
                "Token option for HLS",
                ContentKeyDeliveryType.BaselineHttp,
                restrictions,
                null  // no key delivery data is needed for HLS
                );

        policy.Options.Add(policyOption);

        // Add ContentKeyAuthorizationPolicy to ContentKey
        contentKey.AuthorizationPolicyId = policy.Id;
        IContentKey updatedKey = contentKey.UpdateAsync().Result;
        Console.WriteLine("Adding Key to Asset: Key ID is " + updatedKey.Id);

        return tokenTemplateString;
    }

    static private string GenerateTokenRequirements()
    {
        TokenRestrictionTemplate template = new TokenRestrictionTemplate(TokenType.SWT);

        template.PrimaryVerificationKey = new SymmetricVerificationKey();
        template.AlternateVerificationKeys.Add(new SymmetricVerificationKey());
            template.Audience = _sampleAudience.ToString();
            template.Issuer = _sampleIssuer.ToString();

        template.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim);

        return TokenRestrictionTemplateSerializer.Serialize(template);
    }

测试令牌Test token

若要获取用于密钥授权策略的基于令牌限制的测试令牌,请执行以下操作:To get a test token based on the token restriction that was used for the key authorization policy, do the following:

    // Deserializes a string containing an Xml representation of a TokenRestrictionTemplate
    // back into a TokenRestrictionTemplate class instance.
    TokenRestrictionTemplate tokenTemplate =
        TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString);

    // Generate a test token based on the data in the given TokenRestrictionTemplate.
    // Note, you need to pass the key id Guid because we specified 
    // TokenClaim.ContentKeyIdentifierClaim in during the creation of TokenRestrictionTemplate.
    Guid rawkey = EncryptionUtils.GetKeyIdAsGuid(key.Id);

    //The GenerateTestToken method returns the token without the word “Bearer” in front
    //so you have to add it in front of the token string. 
    string testToken = TokenRestrictionTemplateSerializer.GenerateTestToken(tokenTemplate, null, rawkey);
    Console.WriteLine("The authorization token is:\nBearer {0}", testToken);
    Console.WriteLine();

PlayReady 动态加密PlayReady dynamic encryption

可以使用媒体服务配置相应的权限和限制,这样当用户尝试播放受保护的内容时,PlayReady DRM 运行时就会强制实施这些权限和限制。You can use Media Services to configure the rights and restrictions that you want the PlayReady DRM runtime to enforce when a user tries to play back protected content.

使用 PlayReady 保护内容时,需要在授权策略中指定的项目之一是用于定义 PlayReady 许可证模板的 XML 字符串。When you protect your content with PlayReady, one of the things you need to specify in your authorization policy is an XML string that defines the PlayReady license template. 在用于 .NET 的媒体服务 SDK 中,PlayReadyLicenseResponseTemplate 和 PlayReadyLicenseTemplate 类有助于定义 PlayReady 许可证模板。In the Media Services SDK for .NET, the PlayReadyLicenseResponseTemplate and PlayReadyLicenseTemplate classes help you define the PlayReady license template.

若要了解如何使用 PlayReady 加密内容,请参阅使用 PlayReady 动态通用加密To learn how to encrypt your content with PlayReady, see Use PlayReady dynamic common encryption.

开放限制Open restriction

开放限制意味着系统会将密钥传送到发出密钥请求的任何用户。Open restriction means the system delivers the key to anyone who makes a key request. 此限制可能适用于测试用途。This restriction might be useful for testing purposes.

以下示例创建开放授权策略,并将其添加到内容密钥:The following example creates an open authorization policy and adds it to the content key:

    static public void AddOpenAuthorizationPolicy(IContentKey contentKey)
    {

        // Create ContentKeyAuthorizationPolicy with Open restrictions 
        // and create authorization policy          

        List<ContentKeyAuthorizationPolicyRestriction> restrictions = new List<ContentKeyAuthorizationPolicyRestriction>
        {
            new ContentKeyAuthorizationPolicyRestriction 
            { 
                Name = "Open", 
                KeyRestrictionType = (int)ContentKeyRestrictionType.Open, 
                Requirements = null
            }
        };

        // Configure PlayReady license template.
        string newLicenseTemplate = ConfigurePlayReadyLicenseTemplate();

        IContentKeyAuthorizationPolicyOption policyOption =
            _context.ContentKeyAuthorizationPolicyOptions.Create("",
                ContentKeyDeliveryType.PlayReadyLicense,
                    restrictions, newLicenseTemplate);

        IContentKeyAuthorizationPolicy contentKeyAuthorizationPolicy = _context.
                    ContentKeyAuthorizationPolicies.
                    CreateAsync("Deliver Common Content Key with no restrictions").
                    Result;


        contentKeyAuthorizationPolicy.Options.Add(policyOption);

        // Associate the content key authorization policy with the content key.
        contentKey.AuthorizationPolicyId = contentKeyAuthorizationPolicy.Id;
        contentKey = contentKey.UpdateAsync().Result;
    }

令牌限制Token restriction

若要配置令牌限制选项,需要使用 XML 来描述令牌的授权要求。To configure the token restriction option, you need to use an XML to describe the token's authorization requirements. 令牌限制配置 XML 必须遵循“令牌限制架构”部分所示的 XML 架构。The token restriction configuration XML must conform to the XML schema shown in the "Token restriction schema" section.

    public static string AddTokenRestrictedAuthorizationPolicy(IContentKey contentKey)
    {
        string tokenTemplateString = GenerateTokenRequirements();

        IContentKeyAuthorizationPolicy policy = _context.
                                ContentKeyAuthorizationPolicies.
                                CreateAsync("HLS token restricted authorization policy").Result;

        List<ContentKeyAuthorizationPolicyRestriction> restrictions = new List<ContentKeyAuthorizationPolicyRestriction>
        {
            new ContentKeyAuthorizationPolicyRestriction 
            { 
                Name = "Token Authorization Policy", 
                KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
                Requirements = tokenTemplateString, 
            }
        };

        // Configure PlayReady license template.
        string newLicenseTemplate = ConfigurePlayReadyLicenseTemplate();

        IContentKeyAuthorizationPolicyOption policyOption =
            _context.ContentKeyAuthorizationPolicyOptions.Create("Token option",
                ContentKeyDeliveryType.PlayReadyLicense,
                    restrictions, newLicenseTemplate);

        IContentKeyAuthorizationPolicy contentKeyAuthorizationPolicy = _context.
                    ContentKeyAuthorizationPolicies.
                    CreateAsync("Deliver Common Content Key with no restrictions").
                    Result;

        policy.Options.Add(policyOption);

        // Add ContentKeyAuthorizationPolicy to ContentKey
        contentKeyAuthorizationPolicy.Options.Add(policyOption);

        // Associate the content key authorization policy with the content key
        contentKey.AuthorizationPolicyId = contentKeyAuthorizationPolicy.Id;
        contentKey = contentKey.UpdateAsync().Result;

        return tokenTemplateString;
    }

    static private string GenerateTokenRequirements()
    {

        TokenRestrictionTemplate template = new TokenRestrictionTemplate(TokenType.SWT);

        template.PrimaryVerificationKey = new SymmetricVerificationKey();
        template.AlternateVerificationKeys.Add(new SymmetricVerificationKey());
            template.Audience = _sampleAudience.ToString();
            template.Issuer = _sampleIssuer.ToString();


        template.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim);

        return TokenRestrictionTemplateSerializer.Serialize(template);
    } 

    static private string ConfigurePlayReadyLicenseTemplate()
    {
        // The following code configures PlayReady License Template using .NET classes
        // and returns the XML string.

        //The PlayReadyLicenseResponseTemplate class represents the template for the response sent back to the end user. 
        //It contains a field for a custom data string between the license server and the application 
        //(may be useful for custom app logic) as well as a list of one or more license templates.
        PlayReadyLicenseResponseTemplate responseTemplate = new PlayReadyLicenseResponseTemplate();

        // The PlayReadyLicenseTemplate class represents a license template for creating PlayReady licenses
        // to be returned to the end users. 
        //It contains the data on the content key in the license and any rights or restrictions to be 
        //enforced by the PlayReady DRM runtime when using the content key.
        PlayReadyLicenseTemplate licenseTemplate = new PlayReadyLicenseTemplate();
        //Configure whether the license is persistent (saved in persistent storage on the client) 
        //or non-persistent (only held in memory while the player is using the license).  
        licenseTemplate.LicenseType = PlayReadyLicenseType.Nonpersistent;

        // AllowTestDevices controls whether test devices can use the license or not.  
        // If true, the MinimumSecurityLevel property of the license
        // is set to 150.  If false (the default), the MinimumSecurityLevel property of the license is set to 2000.
        licenseTemplate.AllowTestDevices = true;


        // You can also configure the Play Right in the PlayReady license by using the PlayReadyPlayRight class. 
        // It grants the user the ability to play back the content subject to the zero or more restrictions 
        // configured in the license and on the PlayRight itself (for playback specific policy). 
        // Much of the policy on the PlayRight has to do with output restrictions 
        // which control the types of outputs that the content can be played over and 
        // any restrictions that must be put in place when using a given output.
        // For example, if the DigitalVideoOnlyContentRestriction is enabled, 
        //then the DRM runtime will only allow the video to be displayed over digital outputs 
        //(analog video outputs won’t be allowed to pass the content).

        //IMPORTANT: These types of restrictions can be very powerful but can also affect the consumer experience. 
        // If the output protections are configured too restrictive, 
        // the content might be unplayable on some clients. For more information, see the PlayReady Compliance Rules document.

        // For example:
        //licenseTemplate.PlayRight.AgcAndColorStripeRestriction = new AgcAndColorStripeRestriction(1);

        responseTemplate.LicenseTemplates.Add(licenseTemplate);

        return MediaServicesLicenseTemplateSerializer.Serialize(responseTemplate);
    }

若要获取基于令牌限制(用于密钥授权策略)的测试令牌,请参阅“测试令牌”部分。To get a test token based on the token restriction that was used for the key authorization policy, see the "Test token" section.

定义 ContentKeyAuthorizationPolicy 时使用的类型Types used when you define ContentKeyAuthorizationPolicy

ContentKeyRestrictionTypeContentKeyRestrictionType

    public enum ContentKeyRestrictionType
    {
        Open = 0,
        TokenRestricted = 1,
        IPRestricted = 2,
    }

ContentKeyDeliveryTypeContentKeyDeliveryType

    public enum ContentKeyDeliveryType
    {
      None = 0,
      PlayReadyLicense = 1,
      BaselineHttp = 2
    }

TokenTypeTokenType

    public enum TokenType
    {
        Undefined = 0,
        SWT = 1,
        JWT = 2,
    }

媒体服务学习路径Media Services learning paths

媒体服务 v3(最新版本)Media Services v3 (latest)

查看最新版本的 Azure 媒体服务!Check out the latest version of Azure Media Services!

媒体服务 v2(旧版)Media Services v2 (legacy)

后续步骤Next steps

现在已配置内容密钥的授权策略,可以查看配置资产传送策略了。Now that you have configured the content key's authorization policy, see Configure an asset delivery policy.