Callback authentication
ApsaraVideo Live supports callback authentication for stream ingest, recording, snapshot, and dual-stream disaster recovery callbacks. When callback authentication is enabled, ApsaraVideo Live adds authentication parameters to the HTTP(S) request headers of callback requests. Your receiving server can then verify the signature and timestamp to reject unauthorized or invalid requests.
Authentication parameters
Callback authentication adds the following parameters to HTTP(S) request headers:
|
Parameter |
Description |
|
ALI-LIVE-TIMESTAMP |
The UNIX timestamp, in seconds, when the callback request was initiated. |
|
ALI-LIVE-SIGNATURE |
A 32-character MD5 signature string. See the following section for the calculation method. |
Signature algorithm
ALI-LIVE-SIGNATURE is calculated from the following fields:
|
Field |
Example |
Description |
|
Domain |
|
The domain varies by callback type:
|
|
ALI-LIVE-TIMESTAMP |
|
The UNIX timestamp, in seconds, when the callback request was initiated. |
|
NotifyAuthKey |
|
The authentication key you configured. |
Concatenation
Concatenate the three fields with a vertical bar (|) as the separator and calculate the MD5 value.
MD5Content = Domain|ALI-LIVE-TIMESTAMP|NotifyAuthKey
ALI-LIVE-SIGNATURE = md5sum(MD5Content)
Example calculation
ALI-LIVE-SIGNATURE = md5sum(learn.aliyundoc.com|1519375990|yourkey)
Receiver server verification
Your callback receiving server verifies requests as follows:
Signature verification
-
Determine the callback domain based on the callback type, as described in the Domain field of the signature algorithm table.
-
Concatenate the callback domain, the ALI-LIVE-TIMESTAMP value, and the NotifyAuthKey with a vertical bar (
|) as the separator. -
Calculate the MD5 value of the concatenated string.
-
Compare the result with the value of the
ALI-LIVE-SIGNATUREheader. If they do not match, reject the request.
Timestamp verification
Obtain the current time and calculate the difference from the ALI-LIVE-TIMESTAMP value. If the difference exceeds your configured threshold, reject the request.
A tolerance of 5 minutes is recommended. Clock skew between servers can cause time differences. A tolerance that is too short may reject legitimate callbacks delayed by network latency. Enabling this check is optional.
Considerations
-
Callback authentication is optional but recommended. After you set a NotifyAuthKey, callback requests include the signature headers. Whether your receiving server verifies the signatures is up to you. Setting a NotifyAuthKey does not affect existing callback functionality. If you do not set a NotifyAuthKey, your callbacks continue to work as before.
-
A new NotifyAuthKey takes effect only after you reingest the stream. Callbacks for an ongoing ingest session still use the previous NotifyAuthKey.