Search code examples
azureazure-media-servicesazure-media-player

JWT token validates correctly, but fails Azure media AES with AuthorizationPolicyEvaluationFailure error


I've setup a simple Azure function to test out Azure media services. I'm trying to protect a video I uploaded, but I can't seem to get the JWT right. Here's the simple function code.

    [FunctionName("Test")]
    public static async Task<IActionResult> Run(
        [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
        ILogger log)
    {
        var expires = DateTimeOffset.UtcNow.AddMinutes(20);
        var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("RYhzAnz....VP0uQ==")); // removed full key for brevity
        var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
        var claims = new List<Claim>
        {
        };

        var token = new JwtSecurityToken("http://test.net/",
            "urn:user",
            claims.AsEnumerable(),
            expires: expires.LocalDateTime,
            signingCredentials: credentials
        );

        return new OkObjectResult(new JwtSecurityTokenHandler().WriteToken(token));
    }

I've filled out the issuer/audience in the token so that it matches what is in my Azure settings.

enter image description here

I've even validated that token on jwt.io, and it verified correctly

enter image description here

But when I test it out on the Azure Media Player, the response is a 401 with a AuthorizationPolicyEvaluationFailure.

enter image description here

Here's the response from the Azure key delivery service

{
  "Error": {
    "Message": "Failed content key policy evaluation.",
    "Code": "AuthorizationPolicyEvaluationFailure"
  }
}

Solution

  • Found out what I was doing wrong. Problem was hidden in plain sight. Issue came down to this line of code.

    Encoding.UTF8.GetBytes("RYhzAnz....VP0uQ==")
    

    This was getting the bytes of the security key, but the security key itself is base64 encoded. I had to change it to this instead.

    System.Convert.FromBase64String("RYhzAnz....VP0uQ==")
    

    I was able to figure this out while debugging the Azure Media Service AES example.