Share via

JWT Token exp and nbf field required

Stephen Augenstein 1 Reputation point
2020-09-25T16:27:08.68+00:00

We're still working on a new streaming service, but we've been testing over the past few weeks without setting the expiration and not-before fields on our tokens and everything has been working just fine. Recently (the past couple days?) it suddenly stopped working, and we're now getting an error that those fields are required. Was something changed server side recently to add these restrictions, since there's nothing I can find in the documentation saying they're required, and we haven't touched our content key policy in a while? Additionally, if these new restrictions aren't going away, is there going to be any limit on how far out the expiration can be set, or can we set key expiration months in the future?

Azure Media Services
Azure Media Services
A group of Azure services that includes encoding, format conversion, on-demand streaming, content protection, and live streaming services.
312 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ajkuma 23,641 Reputation points Microsoft Employee
    2020-09-28T12:08:37.047+00:00

    @Stephen Augenstein , Thanks for sharing detailed description of the issue.

    Firstly, you had mentioned 'it stopped working suddenly', I understand it could be frustrating, apologies for any inconvenience with this issue and delayed response here.

    Are you referring to this document or something else?

    I have also reached out to you offline to get additional details.

    To begin with - Navigate to https://portal.azure.com/ and navigate to the ‘Diagnostic settings’ section of the Media Services account. Click on ‘Add diagnostic setting’ to enable diagnostics. Create a name for the diagnostic setting and review the logs and also checkout the ‘Diagnostic and solve problems’ blade.
    28783-image.png

  2. Stephen Augenstein 1 Reputation point
    2020-09-28T21:51:35.677+00:00

    I spoke with the team again and it looks like we probably didn't actually test it without setting the expiration and not-before fields. Apparently all our successful tests had the field set, and when it was not set for the first time last week we got an easy-to-understand error from Azure Media Player Token expiration missing or incorrectly formatted. I'm assuming that it has always worked this way, and that it was all just a misunderstanding on our part that the behavior had changed.

    Regarding the documentation, that is indeed the page I was referring to. It clearly states that issuer and audience are verified, and that you can specify custom claims in your content key policy. Expiration is mentioned in the documentation around the custom maxuses claim, with a comment that an expiry time more than an hour in the future will get rejected if maxuses is set, but that's only if you use that claim. In our review of all the media services documentation prior to starting work we also didn't find any mention of these fields being required generally.