Content Access Control (JWT)
This document is a machine-translated draft and is currently undergoing review. Some content may be inaccurate or differ from the original Korean version. For the most precise information, refer to the Korean documentation.
What is jwt-based content authentication?
JWT(JSON Web Token) is an industry-standard method for securely handling user authentication and authorization.
Kollus VOD implements high-level security through a JWT issuance mechanism based on its unique security key system:
- URL tampering prevention: After a Playback URL is generated, signature verification ensures that data cannot be arbitrarily altered externally.
- Granular access control: Playback rights are granted only to authenticated users, and content leakage is prevented by setting token expiration times.
Keys used for authentication
| Authentication Key | Description |
|---|---|
| Security key | A secret key that ensures the integrity of the JWT. Used when generating the signature. |
| Custom key | A unique identifier for the service account. Transmitted along with the JWT, it serves as the basis for determining which account's security key to use for signature verification. |
| Media content key | A unique identifier assigned to content registered in a channel. Included in the token to prove actual access rights to that content. |
For key information, refer to the document below.
Basic JWT structure
A JWT consists of three parts.
| Component | Role |
|---|---|
| Header | Contains information about the token type (JWT) and the encryption algorithm used for signing (e.g., HS256). |
| Payload | Contains claims, which are the actual authentication information. User ID, expiration date and time, allowed media content keys, and more are recorded here. |
| Signature | A value created by combining the header and Payload, then encrypting it with a security key known only to the server. This is the core mechanism for detecting token forgery or tampering. |
Kollus VOD authentication processing workflow
Kollus VOD uses the HMAC SHA-256(HS256) algorithm, an industry-standard security specification.
- Token request: When a user attempts to log in to the service, the customer server verifies that user's information.
- JWT generation: The customer server uses the security key to generate a JWT containing the user ID, expiration date and time, and more.
- Playback URL request: The client combines the generated JWT with the custom key and requests playback using a URL in the following format.
https://v.kr.kollus.com/s?jwt={JWT}&custom_key={CUSTOM_KEY}
- Integrity verification: The Kollus authentication server uses the received custom key to look up the corresponding account's security key and verifies the JWT signature.
- Playback approval: If the signature is valid and the expiration date and time in the Payload has not passed, a playback session is issued immediately.
JWT payload example
The following is a JWT Payload example for user catenoid to play content vnCVPVyV (media content key).
{
"cuid": "catenoid",
"expt": 1703980800,
"mc": [
{
"mckey": "vnCVPVyV"
}
]
}
| Option | Description |
|---|---|
cuid | User ID |
expt | JWT expiration date and time (Unix timestamp) |
mc | Array containing playback content information |
mckey | Media content key |
For a detailed description of JWT configuration, refer to the document below.