• 3 min read

How to make Token authorized AES encrypted HLS stream working in Safari

Azure Media Services provides capability for customers to generate an AES encrypted HLS stream with Token authorization configured on the AES key retrieval.

Azure Media Services provides capability for customers to generate an AES encrypted HLS stream with Token authorization configured on the AES key retrieval. However, as we know, Safari handles HLS playlist and key retrieval within the native stack and there is no easy way for developers to intercept the key request and add in Token into the 2nd level HLS Playlist. Here is a proposed solution if you do some magic on your authentication module to make this work. Below is an diagram to illustrate how this solution works:

Explanation for each step:

1. Customer sends request to your authentication system with video ID. it is important that you have some mapping between video ID and the actual streaming URL. 2. Your authentication system will authenticate user, and request top Playlist from Azure Media Services with video streaming URL. Let’s say the streaming URL looks like this: (format=m3u8-aapl). 3. Azure Media Services will return the top Playlist to the Authentication system. The top playlist looks like this:


4. Modify the top playlist, so the player (Safari in this case) will ping proxy server instead of our key services directly, and add token into the playlist. The authentication system has the knowledge of the how to compose the token but proxy server doesn’t. Here is the way how top playlist is modified:


In the example above, you need to put in an absolute path in URI (otherwise, the request will come back Auth server):

  • https://test.cloudvideo.azure-int.net/api/ManifestProxy? is the address for your proxy server and ManifestProxy is just a parameter for your to parse the URI later
  • PlaybackURL is the actual streaming URL (however, the URL now is the 2nd level manifest with quality level appends
  • Token is appended at the end as a parameter. Our key services accept token as parameter in the key request

5. Safari now will send  request based on the URL provided in URI parameter to retrieve 2nd level playlist which contains the key information. Since we changed the playlist to point to our proxy server, the request will come to proxy server 6. Our proxy server will receive the 2nd level playlist request. Remove https://test.cloudvideo.azure-int.net/api/ManifestProxy? and ping origin server with the playbackUrl in the playlist to get 2nd playlist with actual key URL in it. And append the token within this 2nd level Playlist. So the returned playlist looks like this:


7. Safari now will send a key request with the URI after #EXT-X-KEY:METHOD=AES-128,URI= to our key server. Since a token is embedded as a parameter, our key service could authorize the request and give player the AES key. We've made this work by uploading code we used to modify the playlist on proxy server here, and you can see a working sample site here. Please feel free to reach out if you have any questions!