OTT License Acquisition

1. Overview

The following diagram explains how the license acquisition happens in browsers.

Most HTML5 player stacks have already pre-integrated the HTML5 video tag and EME calls together so that the remaining work for the application is basically related to the effective "Get License" request and the importation of the returned "License" in the HTML5 player stack. The following subsection details the parameters to provide in this request.

2. Supported multi-DRM license server versions

SSP supports the following versions of the different DRM license servers:

Widevine

FairPlay

PlayReady

PRM

WisePlay

TVKey

Proxy

SDK 18.1.2

4.4.4

4.6.7604

22.36

Proxy

22.10

Proxy means that the SSP license server delegates license generation to the DRM provider, hence the latest version supported by the provider is used.

3. OTT Authorization Methods

The OTT license acquisition logic performed by an application integrated with SSP is dependent of the authorization integration used by the operator. SSP supports the following three authorization integration possibilities.

Even if the API of the OTT SSP license servers is always the same and defined here, the details of the expected data in the request is different and is described in the following table for each authorization mode:

Authorization mode	Supported by	Details
Authorization token	SSP on premises or SaaS	CLM Authorization token + {optionally N content key tokens} needs to be provided in "nv-authorizations" HTTP header for all DRM in challenge for Playready in ClientProtectedPrivateData of the challenge for SW-PRM Content usage rules defined by referring a Content Usage rules profile Identifier in the Authorization token License restrictions defined directly in the Authorization token keys delivered are either defined by the list of content key tokens provided or are detailed by the key delivery options
Authorization server (ADM/RMG)	SSP on premises or SaaS	PRM-LS can be used without Device Authentication token in this mode, the generic case is to put the Device Authentication token in "nv-authorizations" HTTP header for all DRM in challenge for Playready in ClientProtectedPrivateData of the challenge for SW-PRM Content usage rules defined by referring a Content Usage rules profile Identifier in the IMS ISPM interface defining the channel License restrictions are defined in a global configuration per tenant, part of it can be changed. license is not persistent license expiration is set to request time + 48h. This value can be configured. no begin date, no duration keys delivered are detailed by the key delivery options
Authorization callback to OpenTV platform 2.x	SSP on premises only	SDP token can be provided in "nv-application-data" HTTP header for Widevine and Playready and Fairplay Streaming. in custom data in Playready challenge. The Playready signaling used to create the challenge needs to include a contentId. as protected data in the PRM challenge. Only PRM challenge including the PRM signaling are supported. Content usage rules are always the default per DRM. License restrictions are defined by SDP response keys delivered are detailed by the key delivery options

4. OTT License Acquisition Use Cases

Depending of the authorization modes and the DRM, not all the use cases are supported. The following list describes some use cases that are supported:

VOD post-delivery: license server delivers only one key related to one content in one response. The identifier of the key requested is part of the DRM specific part of the license request.
VOD post-delivery with key per track: license server delivers several keys related to different tracks of one content in one reponse. The identifier of at least one of the keys requested is part of the DRM specific part of the license request.
Live post-delivery: license server delivers several keys related to different portion of time of one content in one response. The identifier of at least one of the keys requested is part of the DRM specific part of the license request.
Live post-delivery with key per track: license server delivers several keys related to both different portions of time and different tracks of one content in one response. The identifier of at least one of the keys requested is part of the DRM specific part of the license request.
Pre-delivery: license server delivers keys related to different contents in one response. The identifier of at least one of the keys requested might be part of the DRM specific part of the license request
.. live pre-delivery: the license server delivers keys for all the OTT live channels for which the user has active rights. A specific license pre-delivery request URL shall be used, see API specs
... with CKM : license server delivers keys that were imported in the CKM service AND the content DRM signaling was generated by the CKM service
... with content key token: license server delivers keys coming from the content key token AND the content DRM signaling was NOT generated by the CKM service

The following table lists which use cases are supported in which authorization modes for each DRM:

Authorization	Use case	PRM/Connect	SW-PRM	PlayReady	Widevine	FairPlay Streaming
Authorization Token	VOD post-delivery with CKM	Supported	Supported	Supported	Supported	Supported
	VOD post-delivery with content key token	Supported	Supported	Supported	Supported	Supported
	VOD post-delivery with key per track and content key token	Supported (N DMM, N DCM)	Not supported	Supported	Supported	Supported with several requests
	Live post-delivery with CKM	Supported	Supported	Supported Limitation with IE/Edge with EME, new license request needed after each key rotation	Supported	Supported
	Pre-delivery	Supported	Supported	Not supported in IE/Edge with EME temporary session type, a new license request will be needed for each new content	Supported	Not supported
Authorization callback to OpenTV platform 2.x	Live / VOD post-delivery with CKM	Supported	Not supported	Supported	Supported	Supported
Authorization server with ADM/RMG	Live post-delivery with CKM	Supported	Supported	Supported Limitation with IE/Edge with EME, new license request needed after each key rotation	Supported	Supported Deliver only one key
Authorization server with ADM/RMG	Live pre-delivery	Supported Specific license pre-delivery request URL shall be used, see API spec	Supported Requires the usage of initialize operation	Not supported	Not supported	Not supported