Skip to main content

Token based security

THEOlive offers the option to enable JWT token security on channel distribution level. This can be interesting if you only want valid users to access your stream. Read more about the feature and configuring it on your channels on the token based security guide.

This page will demonstrate how to configure the Roku Player SDK for playback of channels with token based security enabled.

Setting up the Roku THEOplayer SDK for THEOlive

Refer to the getting started guide for the prerequisite steps in getting the Roku SDK up and running for THEOlive playback.

Configuring THEOplayer to pass the token

The THEOlive API provides a simple property to configure your token:

token = getToken() // Generate or request your token, for more information check the token based security guide linked above.
player.theolive.authToken = token

This will ensure the player includes your token in the authorization header on all subsequent requests it performs for playback of your THEOlive channel.

Dealing with token expiry and rotation

If your tokens are short-lived, you want to make sure to update the token being passed to the player and requests before it expires, to allow playback to continue beyond expiry. This can simply be done by updating the header on the player in the same way. For example, one could check on an interval that makes sense for your token lifespan whether the token is about to expire and update when necessary, for example:

Add a Timer to your SceneGraph component to check the token at an interval:

...
  <children>
    <Timer id="tokenTimer" repeat="true" duration="30" />
  </children>
...

And in your Brightscript code:

sub init()
    ...

    m.token = ""
    m.player = getPlayer()

    maybeUpdateToken()
    m.tokenTimer = m.top.findNode("tokenTimer")
    m.tokenTimer.observeField("fire", "maybeUpdateToken")
    m.tokenTimer.control = "start"
end sub

sub maybeUpdateToken()
    if m.token = "" or tokenWillExpireSoon(m.token) then
        m.token = getToken() ' Generate or request your token, for more information check the token based security guide linked above.
        m.player.theolive.authToken = m.token
    end if
end sub

function tokenWillExpireSoon(token as String) as Boolean
    parts = token.split(".")
    if parts.count() < 2 then return true

    payloadBase64 = parts[1]
    ba = CreateObject("roByteArray")
    ba.FromBase64String(payloadBase64)
    decodedJson = ParseJson(ba.ToAsciiString())
    if decodedJson = invalid then return true

    exp = decodedJson.exp
    if exp = invalid then return true
    now = Int(CreateObject("roDateTime").AsSeconds())

    return exp - now <= 60
end function

Clearing the token

If the token isn't needed anymore, e.g. when switching to an unprotected channel or a non-THEOlive source altogether, the header can be simply removed as follows:

player.theolive.authToken = ""