All Products
Search

This Product

    ApsaraVideo Live:Remote authentication

    Document Center

    ApsaraVideo Live:Remote authentication

    Last Updated:Jan 05, 2024

    ApsaraVideo Live allows you to forward requests to a specified authentication server that verifies the requests. If the requests pass verification, access is allowed. If the requests fail verification, access is denied or other restrictions are imposed. This effectively prevents unauthorized users from accessing your resources. This topic describes how to configure remote authentication.

    Overview

    Remote authentication works in the same manner as URL signing. They are both used to protect live streaming resources from unauthorized exploitation. In other words, only authorized users can access the resources.

    Remote authentication and URL signing have the following differences in terms of technical implementation:

    • URL signing: You implement the authentication rules of the domain name in live centers. The live centers use the rules to complete the authentication process.

    • Remote authentication: You have an authentication server that is built and managed by yourself. After live centers receive a request, they forward the request to the authentication server for authentication.

    The following figure shows the data interaction process during remote authentication:

    image

    No.

    Description

    1

    A user initiates a request to access resources in a live center. The request contains authentication parameters.

    2

    The live center receives the request, and forwards the request to your authentication server directly or after processing the request based on specific rules.

    3

    The authentication server returns the authentication result based on the authentication parameters in the request to the live center.

    4

    The live center performs actions based on the authentication result returned by the authentication server and returns the corresponding data to the user.

    • Example result 1: If the authentication is successful, the user starts to access and interact with cached data in the live center.

    • Example result 2: If the authentication fails, the live center returns HTTP status code 403 to the user.

    • Example result 3: If the authentication times out, the live center performs the specified action upon timeout, that is, allows or denies the user access.

    Usage notes

    You need to submit a ticket before you can use the remote authentication feature. To configure the remote authentication settings, perform the following procedure.

    Procedure

    1. Log on to the ApsaraVideo Live console.
    2. In the left-side navigation pane, click Domains to go to the Domain Management page.

    3. Find the streaming domain that you want to configure and click Domain Settings in the Actions column.

    4. Choose Streaming Management > Access Control.

    5. Click the Remote Authentication tab. Turn on Remote Authentication, and configure the parameters that are described in the following table.

      Note

      After you enable remote authentication, all user requests are redirected to the authentication server. If a large number of requests are sent, make sure that the authentication server can handle traffic spikes without compromising the performance.

      Parameter

      Description

      Authentication Server Address

      The address of the authentication server. The address must be publicly accessible. The system checks whether the format and value of the address that you enter are valid. You can specify a fixed URL or a variable concatenated URL.

      • Fixed URL: The HTTP and HTTPS protocols are supported. The value cannot contain 127.0.0.1 and localhost, which are invalid local addresses. Sample formats:

        • http(s)://example.com/auth

        • http(s)://192.0.2.1/auth

      • Variable concatenated URL: You can construct a signed URL by concatenating variables and then use the URL as the address of the authentication server. For more information about the concatenation rules, see Variable concatenated URLs.

      Pass Through URL Parameters

      The URL parameters that you want the authentication server to check. You can select Specified Parameters Passed, Specified Parameters Not Passed, or None.

      Note

      If you select Specified Parameters Passed or Specified Parameters Not Passed, you must specify the parameters that you want to or do not want to pass through in the text box. Separate multiple parameters with commas (,). Example: key1,key2,key3.

      HTTP Status Code to Return

      The HTTP status code that the authentication server returns to the live center. You can select one of the following options:

      • Successful Authentication: If you select this option, enter a custom HTTP status code for successful authentication in the text box. The live center allows requests only if the authentication server returns this status code. If other status codes are returned, requests are denied.

        For example, if you set the HTTP status code to 200, the authentication server returns HTTP status code 200 to the live center for requests that pass the authentication.

      • Failed Authentication: If you select this option, enter a custom HTTP status code for failed authentication in the text box. The live center denies requests only if the authentication server returns this status code. If other status codes are returned, requests are allowed.

        For example, if you set the HTTP status code to 403, the authentication server returns HTTP status code 403 to the live center for requests that fail the authentication.

      Authentication Duration (s)

      The period of time that starts when the live center initiates authentication and ends when the live center receives the authentication result from the authentication server.

      Valid values: integers from 0 to 30.

      Retries on Timeout

      The number of times that the authentication server retries authentication if the specified authentication duration is exceeded. After the number of retries reaches the specified value, the action that is specified by the Action After Timeout parameter is performed. You can select the Allow or Deny action.

      Action After Timeout

      The action that you want to perform on requests when the data interaction between the live center and authentication server times out. Valid values: Allow and Deny.

      • Allow: If authentication times out, the live center allows requests.

      • Deny: If authentication times out, the live center denies requests and returns the HTTP status code that indicates failure (for example, 403) to the user.

      Asynchronous Authentication (under Advanced Settings)

      If you enable asynchronous authentication, a stream can be played without the need to wait for the authentication result. If the result that is returned at a later point in time indicates failed authentication, the playback is interrupted. This helps prevent the issue of increased first frame duration that is caused by the synchronization of the authentication result.

    6. Click OK.

      After you configure remote authentication, you can modify the settings of remote authentication or disable remote authentication on the Remote Authentication tab.

    Variable concatenated URLs

    You can construct a signed URL by concatenating variables and then use the URL as the address of the authentication server. The following table describes the variables.

    Type

    Description

    Numeric variable

    Numeric variables, such as ${1} and ${2}, are used to reference the part before ? in an ingest or streaming URL.

    For example, if the ingest URL is rtmp://abc.com/appname/streamname?token=1&name=xr, the numeric variables are ${1}=appname and ${2}=streamname.

    Phrase variable

    Phrase variables, such as ${arg_token} and ${arg_name}, are used to reference the part after? in an ingest or streaming URL.

    For example, if the ingest URL is rtmp://abc.com/appname/streamname?token=1&name=xrc, the phrase variables are ${arg_token}=1 and ${arg_name}=xrc.

    Custom variable

    A custom variable starts with the udv_ prefix. Supported custom variables include ${udv_host} and ${udv_ip}, which are used to reference the host and the IP address on the stream ingest side, respectively.

    ngx variable

    All ngx.var.* variables can be directly referenced. For example, you can use ${args} to reference ngx.var.args.

    When you construct a URL by concatenating variables, all fields that are referenced by the variables are processed by the URL escape function ngx.escape_uri. This prevents ambiguity caused by special characters.

    Stream name variable

    You can specify the stream name in the form of videoname=${stream_name}, in which ${stream_name} can be replaced by the stream name of a playback request.

    Note

    If the ingest or streaming URL is rtmp://abc.com/app/stream?token=***&name=xrc

    and the address of the authentication server is http://auth.com/?app=${udv_host}&streamname=${2}&appname=${1}&token=${arg_token},

    the actual signed URL is http://auth.com/?app=abc.com&streamname=stream&appname=app&token=***.

    Related API operations

    BatchSetLiveDomainConfigs