SignedPolicy, How to authorize a user with userID, instead of "allow_ip"?

[martiankoder]

Hi,
This may sound like a stupid question, but I would like to understand how SignedPolicy helps authorize a specific user, say a user with userID = "1234" to access to a stream? The Policy's properties do not have some thing like "userID", it has allow_ip:
`{
"url_activate":1399711581,
"url_expire":1399721581,

"stream_expire":1399821581,                                    
"allow_ip":"192.168.100.5/32"

}`

How to I know a user that just logged in has the right to access to my resource? IP address is not good enough as a user can use different networks and devices that have different IP addresses? Is Policy customizable to add "user_id", so that on backend code, I can use that ID to authorize that user to access a resource?

[naanlizard]

The intention is that you have a separate service that provides authorization however you want to in order to determine who gets to play the stream

[martiankoder]

Say, for example, User1 is given a link to access to play a stream. User1 shares this link (the signed URL) to 10 other users, this is not allowed, I want only user1 has access to that stream. How do you prevent 10 other users to view the stream?

[naanlizard]

Ah sorry, i confused two features

You may want to use admissionwebhooks

https://airensoft.gitbook.io/ovenmediaengine/access-control/admission-webhooks

[getroot]

In such scenarios, service providers usually:

1. Set url_expire to very short in SignedPolicy
   When an authorized viewer requests playback from your website, provide the Signed Policy URL with a 3 second url_expire and start playback immediately. The URL expires soon, so even if viewers distribute the URL, they won't be able to play it.

2. Authenticate users with AdmissionWebhooks
   Deploy a URL like wss://domain/app/<User ID>. AdmissionWebhooks will ask your Control Server to allow replay of this URL. Your Control Server extracts the User ID from the URL, checks if the user can play it now, and informs OME of the real playback url (e.g. wss://domain/app/stream109293192) as new_url in the response.

Checking to allow playback is up to your service implementation. for example

• Authorized users click on content on your website
• Record user id, playback stream name, and request time in DB
• Distribute the wss://domain/app/user_id URL to the user, and start playing the URL in the user's player
• OvenMediaEngine asks your control server to allow playback of wss://domain/app/user_id
• The control server finds the user id in the DB, checks the stream name and issuance time, and checks whether it has been too long since issuance.
• If playback is allowed, respond with wss://domain/app/<stream name> to the new_url of the response
• The control server deletes the record from the DB (to prevent URL distribution)

For reference, <stream_name> is not exposed to users because it is exchanged only between OME and your control server.