Ooyala Player Token for Player V4

Content publishers and providers can secure their content with the Ooyala Player Token. (Available only if your Ooyala account includes this functionality. To enable Ooyala Player Token, contact your account manager.)

Use the Ooyala Player Token to protect content from users who may try to make unauthorized use of your digital content. For example, a user may take the embedded player Javascript (.js) script tag generated in Backlot and distribute it without permission to others for replay, or attempt other similar replay attacks.

To prevent such unauthorized usage, Ooyala provides the Ooyala Player Token, which helps protect your content from these types of risks. Use this feature to secure your monetized content and prevent unauthorized distribution.

The Ooyala Player Token provides a secure process that authenticates the player before allowing it to replay digital content. Token-based authentication ensures that digital content cannot be downloaded or played until the client player has been authenticated.

Using the Ooyala Player Token

For more information on how to build web applications with the Ooyala Player JavaScript API, see Player V4 JavaScript API.

Step 1: Set up the Ooyala Player Token in Backlot

In the Backlot UI, set a Syndication group flag and add your content assets to this syndication group. Then you can set up a web page to run one or more player(s) and send the authorization token.

Securing Playback Content with the Ooyala Player Token

Follow these steps to secure your content in Backlot:

  1. Log in to your Backlot account.
  2. Click the PUBLISH tab, and select the Syndication Controls tab.
  3. Select a video from a syndication group, or set up a syndication group and then select your video.
  4. In the Syndication Controls pane, click the Require Ooyala Player Token checkbox.
  5. (Optional) In the Expiration field, set the expiration time (in seconds) for the viewing session. If you do not specify a time, the recommended default of ten minutes is used. The field only accepts numeric entries (for example, 600). You may set a longer expiration time for the token if you prefer, since the Same Origin Policy protects its distribution. For more information about the expiration time, see Ooyala Player Token Expiration.
  6. Click the MANAGE tab, and select the Embed tab.
  7. Click the Copy button to get the player JavaScript <script> tag to paste into your web page. This content must be in the syndication group in which you specified the Ooyala Player Token as a required option.

Step 2: Create a Basic HTML Page

Create a basic HTML page that includes a call to OO.Player.create(). For a complete tutorial, see Examples of Player V4 Web Page Embedding.
<!DOCTYPE html>
<html>
    <head>
        <title>My Test Player V4 Web Page</title>
        <!-- Load Ooyala Player -->
        <script src="http://player.ooyala.com/core/YOUR_PLAYER_ID">
        </script>
    </head>
 
    <body>
        <!-- Player Placement -->
        <div id="container" style="width:640px; height:360px"></div>
        <script>
            OO.ready(function() {
                OO.Player.create(
                    'container', 
                     "YOUR_CONTENT_ID", {
                     }
                );
            });
        </script>
    </body>
</html>
Note: While this basic example illustrates the token request value on a web page, it is recommended that you do not actually store such information on static web pages since token requests contain sensitive information.

Step 3: Specify the embedToken Embedded Parameter

In the call to OO.Player.create(), specify embedToken as an embedded parameter:

<!DOCTYPE html>
<html>
    <head>
        <title>My Test Player V4 Web Page</title>
        <!-- Load Ooyala Player -->
        <script src="http://player.ooyala.com/core/YOUR_PLAYER_ID">
        </script>
    </head>
 
    <body>
      <!-- Player Placement -->
        <div id="container" style="width:640px; height:360px"></div>
        <script>
            OO.ready(function() {
                OO.Player.create(
                    'container', 
                    "YOUR_CONTENT_ID", {
                        embedToken : 'token value to be added here'
                    }
                );
            });
        </script>
    </body>
</html>

Step 4: Construct and Assign the Token Request Value

Construct the token request value and assign it to the embedToken embedded parameter. The value is in the form of a URL that has the following segments:

URL Segment Description
Protocol and domain http://player.ooyala.com
Request path /sas/embed_token/{pcode}/{comma-separated content IDs}
Query string parameters
?account_id={optional account ID}
&api_key={apikey}
&expires={expiration time} 
&postal_code={optional ZIP Code™}
&return_json=1
&signature={computed signature} 
Note: The return_json query parameter is optional. Set this parameter to 1 if you would like the authentication token to be returned in the JSON response.

The rest of this section explains how to specify the required values shown in the table.

Following is an example call to OO.Player.create() that includes the embedToken parameter. In this example, the following fictitious values are used (see below for detailed instructions on how to construct these values):
  • pcode: F0xxxxxxxxxxxxxxxxxxxxAQ2t1
  • content ID: A5exxxxxxxxxxxxxxxxxxxxxxxxxGWGU
  • api_key: F0xxxxxxxxxxxxxxxxxxxxAQ2t1.7xxxX
  • expires: 1549988253
  • signature: sp4Cew3qqX1iBrlKSfjlryuPlbHIaLMzLh7%2Ff39IBM4
OO.Player.create('container', "A5exxxxxxxxxxxxxxxxxxxxxxxxxGWGU", { 
  embedToken : 'http://player.ooyala.com/sas/embed_token/F0xxxxxxxxxxxxxxxxxxxxAQ2t1/A5exxxxxxxxxxxxxxxxxxxxxxxxxGWGU?api_key=F0xxxxxxxxxxxxxxxxxxxxAQ2t1.7xxxX&expires=1549988253&signature=sp4Cew3qqX1iBrlKSfjlryuPlbHIaLMzLh7%2Ff39IBM4'
});

The following table shows how to obtain the values needed for the embedToken parameter:

Value Description
account_id (Optional) Your account or user identifier. While not always necessary in the Ooyala Player Token, the account ID is required for working with entitlements (such as eCommerce), concurrent stream limits, cross-device resume, or device registration. Use this parameter in conjunction with Rights Locker and Device Registration API.
api_key If API access is enabled for your account, Ooyala provides you with an API key. To find your API key, log in to your Ooyala Backlot Web Account. Select the Account tab and click Developers. The API key contains two sets of characters separated by a period (.). This is a required field. For more information about the API key, see Your API Credentials.
comma-separated content IDs Supply one or more content IDs that represent the players that will be embedded on the page. You can list up to 50 content IDs. If you have more than 50 assets, or you do not want to list them all individually, specify all. This is useful when using the rights locker with applications to create the playback token for multiple assets.
expires The POSIX time when the token expires. Use a short expiration time so the URL snippet cannot be successfully replicated across other domains.
pcode Get the partner code (pcode) from your Ooyala Backlot Web Account. Select the Account tab and click Developers. In the API key, the set of characters to the left of the period is the pcode. This is a required field.
postal_code (Optional) Five-digit US ZIP Code™ of the geographic area where viewing the content is permitted. In the Syndication Controls tab of the PUBLISH page in Backlot, you must set the postal code under Geographic Controls and check Require Ooyala Player Token. Works only in the U.S.A. Enforcement depends on user permissions, accuracy of the third-party device and its geolocation service, and whether the device is stationary or in motion.
signature This must be the last parameter. Generate this signature on the server by following the instructions provided in General Algorithm for Signing Requests.

Complete Web Example: Authorize Playback and Obtain a Token

In the following example, when the embedded player is loaded, the event triggers the communication of the token request URL to the player. The player then requests authorization and a token from the Ooyala authorization server, using the token request. The postal code in the embedToken parameter restricts the geographic region where playback is allowed. Depending on whether the request made justifies playback, either a valid authorization response is returned, or an unauthorized response is returned.

<!DOCTYPE html>
<html>
    <head>
        <title>My Test Player V4 Web Page</title>
        <!-- Load Ooyala Player -->
        <script src="http://player.ooyala.com/core/YOUR_PLAYER_ID">
        </script>
    </head>
 
    <body>
      <!-- Player Placement -->
        <div id="container" style="width:640px; height:360px"></div> 
        <script>
          var playerParam = {
            'pcode':'F0xxxxxxxxxxxxxxxxxxxxAQ2t1',
            'playerBrandingId':YOUR_PLAYER_ID,
            'autoplay':false,
            'loop':false,
            'embedToken': 'http://player.ooyala.com/sas/embed_token/F0xxxxxxxxxxxxxxxxxxxxAQ2t1/A5exxxxxxxxxxxxxxxxxxxxxxxxxGWGU?api_key=F0xxxxxxxxxxxxxxxxxxxxAQ2t1.7xxxX&expires=1549988253&postal_code=92802&signature=sp4Cew3qqX1iBrlKSfjlryuPlbHIaLMzLh7%2Ff39IBM4',
            'skin': 
              {'config': '//player.ooyala.com/static/v4/production/latest/skin-plugin/skin.json'}
            };
            OO.ready(function() {
                OO.Player.create('container', "A5exxxxxxxxxxxxxxxxxxxxxxxxxGWGU", playerParam);
            });
        </script>
    </body>
</html>

해당 내용이 도움 되었습니까?