6

I want the widevine server to authenticate the requesting user is authenticated and logged-in to my web app.

Can I make my own API server serve the DRM keys somehow? I know they're served encrypted so is there's a way to create my own LA server?

Or do I have to use an existing one? If so - how do I make it authenticate my users to make sure they're logged-in? (and maybe check that it's a very specific user that can view the video).

I want to make sure that a user that's allowed to view the video will not have the possibility of grabbing the mpd link and put it in a different player with the same widevine server. What part of the process makes it really secure?

Adam Tal
  • 5,911
  • 4
  • 29
  • 49

1 Answers1

0

You must use the official license server. You can however put your own service in between the license server and client, as a proxy, to add additional functionality.

szatmary
  • 29,969
  • 8
  • 44
  • 57
  • So how does it protect my content? If someone else uses my mpd url in his own website it will play. How do I add an authentication process to the DRM license request? How do I really protect my file? – Adam Tal Feb 26 '18 at 21:14
  • The key is not in the mpd. This licenses server can return or not return a key based on any criteria you wish (user login, IP address, time of day, whatever you want) – szatmary Feb 26 '18 at 21:21
  • Can you please direct me to some documentation or a guide regarding user login validation on the license server? Is the only server everyone works with for widevine licenses `license.uat.widevine.com`? – Adam Tal Feb 26 '18 at 23:51
  • Documentation on creating user accounts on your website? I’m sure there are hundreds of articles on the internet for that. You can find them just as easy as me. If you have more questions a at thins point, open a new topic on stackoverflow. – szatmary Feb 27 '18 at 00:17
  • You didn't understand me. My app is at production with OAuth working. I want to protect my video from the authenticated user - I don't want him to download or use the same mpd url. How do I make the widevine server take my existing authentication key from the request headers and send it to my API server to make sure it's valid? If a user that logged-in takes the mpd url and tries to stream it with the official widevine url what stops him? I think I'm missing something basic in the understanding of the licensing process and what makes it secure even againts my own users. – Adam Tal Feb 27 '18 at 09:44
  • 1
    The widevine server doesnt stop him. The player requests the key from YOUR server. If the user is authorized, your server makes the request to widevine, and passes the result to the client (a proxy) If auth fails, your server returns an error. – szatmary Feb 27 '18 at 16:36
  • 1
    So I create a widevine proxy server which is pretty close to what I wanted in my question. Thanks! – Adam Tal Feb 27 '18 at 20:55