配置内容密钥授权策略Configure a content key authorization policy


Google Widevine 内容保护服务目前在 Azure 中国区域不可用。Google Widevine content protection services are currently unavailable in the Azure China regions.


可以使用 Azure 媒体服务传送受高级加密标准 (AES)(使用 128 位加密密钥)或受 PlayReady 数字版权管理 (DRM) 保护的 MPEG-DASH 流、平滑流式处理流和 HTTP 实时流式处理 (HLS) 流。You can use Azure Media Services to deliver MPEG-DASH, Smooth Streaming, and HTTP Live Streaming (HLS) streams protected with Advanced Encryption Standard (AES) by using 128-bit encryption keys or PlayReady digital rights management (DRM). PlayReady 是按通用加密 (ISO/IEC 23001-7 CENC) 规范加密的。PlayReady is encrypted per the common encryption (ISO/IEC 23001-7 CENC) specification.

媒体服务还提供了一个密钥/许可证传送服务,客户端可从中获取 AES 密钥或 PlayReady 许可证,以用于播放加密的内容。Media Services also provides a key/license delivery Service from which clients can obtain AES keys or PlayReady license to play the encrypted content.

本文介绍了如何使用 Azure 门户配置内容密钥授权策略。This article shows how to use the Azure portal to configure the content key authorization policy. 以后,可以使用该密钥来动态加密内容。The key can later be used to dynamically encrypt your content. 当前可以对 HLS、MPEG DASH 和平滑流式处理格式进行加密。Currently, you can encrypt HLS, MPEG-DASH, and Smooth Streaming formats. 无法对渐进式下载进行加密。You can't encrypt progressive downloads.

当播放器请求已设置为动态加密的流时,媒体服务将使用所配置的密钥通过 AES 或 DRM 加密来对内容进行动态加密。When a player requests a stream that is set to be dynamically encrypted, Media Services uses the configured key to dynamically encrypt your content by using AES or DRM encryption. 为解密流,播放器从密钥传送服务请求密钥。To decrypt the stream, the player requests the key from the key delivery service. 为了确定用户是否被授权获取密钥,服务将评估你为密钥指定的授权策略。To determine whether the user is authorized to get the key, the service evaluates the authorization policies that you specified for the key.

如果计划创建多个内容密钥,或者想要指定除媒体服务密钥传送服务以外的密钥\许可证传送服务 URL,请使用媒体服务 .NET SDK 或 REST API。If you plan to have multiple content keys or want to specify a key/license delivery service URL other than the Media Services key delivery service, use the Media Services .NET SDK or REST APIs. 有关详细信息,请参阅:For more information, see:

需要注意的一些事项Some considerations apply

  • 创建媒体服务帐户后,一个处于“已停止”状态的默认流式处理终结点会添加到帐户。When your Media Services account is created, a default streaming endpoint is added to your account in the "Stopped" state. 若要开始流式传输内容并利用动态打包和动态加密,流式处理终结点必须处于“正在运行”状态。To start streaming your content and take advantage of dynamic packaging and dynamic encryption, your streaming endpoint must be in the "Running" state.
  • 资产必须包含一组自适应比特率 MP4 或自适应比特率平滑流文件。Your asset must contain a set of adaptive bitrate MP4s or adaptive bitrate Smooth Streaming files. 有关详细信息,请参阅对资产进行编码For more information, see Encode an asset.
  • 密钥传送服务将 ContentKeyAuthorizationPolicy 及其相关对象(策略选项和限制)缓存 15 分钟。The key delivery service caches ContentKeyAuthorizationPolicy and its related objects (policy options and restrictions) for 15 minutes. 可以创建 ContentKeyAuthorizationPolicy 并指定使用令牌限制,对其进行测试,然后更新策略以开放限制。You can create a ContentKeyAuthorizationPolicy and specify to use a token restriction, test it, and then update the policy to the open restriction. 在策略切换到开放版本之前,此过程需要花费大约 15 分钟。This process takes roughly 15 minutes before the policy switches to the open version.
  • 媒体服务流式处理终结点将预检响应中 CORS Access-Control-Allow-Origin 标头的值设置为通配符“*”。A Media Services streaming endpoint sets the value of the CORS Access-Control-Allow-Origin header in preflight response as the wildcard "*". 此值适用于大多数播放器,其中包括 Azure Media Player、Roku、JWPlayer 等。This value works well with most players, including Azure Media Player, Roku and JWPlayer, and others. 但是,这不适用于一些使用 dash.js 的播放器,因为将凭据模式设置为“包含”之后,dash.js 中的 XMLHttpRequest 不允许将通配符“*”作为 Access-Control-Allow-Origin 的值。However, some players that use dash.js don't work because, with credentials mode set to "include," XMLHttpRequest in their dash.js doesn't allow the wildcard "*" as the value of Access-Control-Allow-Origin. 作为 dash.js 中这一限制的解决办法,如果你将客户端承载在单个域中,则媒体服务可以指定预检响应标头中的域。As a workaround to this limitation in dash.js, if you host your client from a single domain, Media Services can specify that domain in the preflight response header. 若需帮助,请通过 Azure 门户开具支持票证。For assistance, open a support ticket through the Azure portal.

配置密钥授权策略Configure the key authorization policy

若要配置密钥授权策略,请选择“内容保护” 页。To configure the key authorization policy, select the CONTENT PROTECTION page.

媒体服务支持通过多种方式对发出密钥请求的用户进行身份验证。Media Services supports multiple ways to authenticate users who make key requests. 内容密钥授权策略可以具有“开放”、“令牌”或 IP 授权限制。The content key authorization policy can have open, token, or IP authorization restrictions. (可以使用 REST 或 .NET SDK 配置 IP。)(IP can be configured with REST or the .NET SDK.)

开放限制Open restriction

“开放”限制意味着系统会将密钥传送到发出密钥请求的任何用户。The open restriction means the system delivers the key to anyone who makes a key request. 此限制可能适用于测试用途。This restriction might be useful for testing purposes.


令牌限制Token restriction

若要选择令牌限制策略,请选择“令牌” 按钮。To choose the token restricted policy, select the TOKEN button.

令牌受限制策略必须附带由安全令牌服务 (STS) 颁发的令牌。The token restricted policy must be accompanied by a token issued by a security token service (STS). 媒体服务支持采用简单 Web 令牌 (SWT) 格式和 JSON Web 令牌 (JWT) 格式的令牌。Media Services supports tokens in the simple web token (SWT) and JSON Web Token (JWT) formats. 有关详细信息,请参阅 JWT 身份验证For more information, see JWT authentication.

媒体服务不提供 STS。Media Services doesn't provide STS. 可以创建自定义 STS 来颁发令牌。You can create a custom STS to issue tokens. 必须将 STS 配置为创建令牌,该令牌使用指定密钥以及在令牌限制配置中指定的颁发声明进行签名。The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. 如果令牌有效,并且令牌中的声明与为内容密钥配置的声明相匹配,则媒体服务密钥传送服务会将加密密钥返回到客户端。If the token is valid and the claims in the token match those configured for the content key, the Media Services key delivery service returns the encryption key to the client.

配置令牌限制策略时,必须指定主验证密钥、颁发者和受众参数。When you configure the token-restricted policy, you must specify the primary verification key, issuer, and audience parameters. 主验证密钥包含为令牌签名时使用的密钥。The primary verification key contains the key that the token was signed with. 颁发者是颁发令牌的 STS。The issuer is the STS that issues the token. 受众(有时称为范围)描述该令牌的意图,或者令牌授权访问的资源。The audience (sometimes called scope) describes the intent of the token or the resource the token authorizes access to. 媒体服务密钥交付服务会验证令牌中的这些值是否与模板中的值匹配。The Media Services key delivery service validates that these values in the token match the values in the template.


使用 PlayReady 保护内容时,需要在授权策略中指定的项目之一是用于定义 PlayReady 许可证模板的 XML 字符串。When you protect your content with PlayReady, one of the things you need to specify in your authorization policy is an XML string that defines the PlayReady license template. 默认情况下,已设置以下策略:By default, the following policy is set:

<PlayReadyLicenseResponseTemplate xmlns:i="https://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/PlayReadyTemplate/v1">
          <ContentKey i:type="ContentEncryptionKeyFromHeader" />

可以选择“导入策略 xml” 按钮并提供遵循在媒体服务 PlayReady 许可证模板概述中定义的 XML 架构的一个不同 XML。You can select the import policy xml button and provide a different XML that conforms to the XML schema defined in the Media Services PlayReady license template overview.

后续步骤Next steps

媒体服务 v3(最新版本)Media Services v3 (latest)

查看最新版本的 Azure 媒体服务!Check out the latest version of Azure Media Services!

媒体服务 v2(旧版)Media Services v2 (legacy)