Merge pull request #47797 from Juliako/patch-37

v-shils · web-flow · commit 15cf0fa2d6bc · 2018-08-01T08:12:59.000-07:00
Update content-protection-overview.md
diff --git a/articles/media-services/latest/content-protection-overview.md b/articles/media-services/latest/content-protection-overview.md
@@ -12,7 +12,7 @@ ms.workload: media
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 06/25/2018
+ms.date: 07/30/2018
 ms.author: juliako
 
 ---
@@ -26,7 +26,7 @@ The following image illustrates the Media Services content protection workflow:
 
 &#42; *dynamic encryption supports AES-128 "clear key", CBCS, and CENC. For details see the support matrix [here](#streaming-protocols-and-encryption-types).*
 
-This article explains concepts and terminology relevant to understanding content protection with Media Services. The article also provides links to articles that discuss how to protect content. 
+This article explains concepts and terminology relevant to understanding content protection with Media Services. The article also has the [FAQ](#faq) section and provides links to articles that show how to protect content. 
 
 ## Main components of the content protection system
 
@@ -121,6 +121,65 @@ With a token-restricted content key policy, the content key is sent only to a cl
 
 When you configure the token restricted policy, you must specify the primary verification key, issuer, and audience parameters. The primary verification key contains the key that the token was signed with. The issuer is the secure token service that issues the token. The audience, sometimes called scope, describes the intent of the token or the resource the token authorizes access to. The Media Services key delivery service validates that these values in the token match the values in the template.
 
+## <a id="faq"/>Frequently asked questions
+
+### Question
+
+How to implement multi-DRM (PlayReady, Widevine, and FairPlay) system using Azure Media Services (AMS) v3 and also use AMS license/key delivery service?
+
+### Answer
+
+For end-to-end scenario, see the [following code example](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/master/AMSV3Tutorials/EncryptWithDRM/Program.cs). 
+
+The example shows how to:
+
+1. Create and configure ContentKeyPolicies.
+
+  The sample contains functions that configure [PlayReady](playready-license-template-overview.md), [Widevine](widevine-license-template-overview.md), and [FairPlay](fairplay-license-overview.md) licenses.
+
+    ```
+    ContentKeyPolicyPlayReadyConfiguration playReadyConfig = ConfigurePlayReadyLicenseTemplate();
+    ContentKeyPolicyWidevineConfiguration widevineConfig = ConfigureWidevineLicenseTempate();
+    ContentKeyPolicyFairPlayConfiguration fairPlayConfig = ConfigureFairPlayPolicyOptions();
+    ```
+
+2. Create a StreamingLocator that is configured to stream an encrypted asset. 
+
+  In the case of this example, we set **StreamingPolicyName** to **PredefinedStreamingPolicy.SecureStreaming** which supports envelope and cenc encryption and sets two content keys on the StreamingLocator. 
+
+  If you also want to encrypt with FairPlay, set the **StreamingPolicyName** to **PredefinedStreamingPolicy.SecureStreamingWithFairPlay**.
+
+3. Create a test token.
+
+  The **GetTokenAsync** method shows how to create a test token.
+  
+4. Build the streaming URL.
+
+  The **GetDASHStreamingUrlAsync** method shows how to build the streaming URL. In this case, the URL streams the **DASH** content.
+
+### Question
+
+How and where to get JWT token before using it to request license or key?
+
+### Answer
+
+1. For production, you need to have a Secure Token Services (STS) (web service) which issues JWT token upon a HTTPS request. For test, you could use the code shown in **GetTokenAsync** method defined in [Program.cs](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/master/AMSV3Tutorials/EncryptWithDRM/Program.cs).
+2. Player will need to make a request, after a user is authenticated, to the STS for such a token and assign it as the value of the token. You can use the [Azure Media Player API](https://amp.azure.net/libs/amp/latest/docs/).
+
+* For an example of running STS, with either symmetric and asymmetric key, please see [http://aka.ms/jwt](http://aka.ms/jwt). 
+* For an example of a player based on Azure Media Player using such JWT token, see [http://aka.ms/amtest](http://aka.ms/amtest) (expand "player_settings" link to see the token input).
+
+### Question
+
+How do you authorize requests to stream videos with AES encryption?
+
+### Answer
+
+The correct approach is to leverage STS (Secure Token Service):
+
+In STS, depending on user profile, add different claims (such as “Premium User”, “Basic User”, “Free Trial User”). With different claims in a JWT, the user can see different contents. Of course, for different content/asset, the ContentKeyPolicyRestriction will have the corresponding RequiredClaims.
+
+Use Azure Media Services APIs for configuring license/key delivery and encrypting your assets (as shown in [this sample](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/master/AMSV3Tutorials/EncryptWithAES/Program.cs).
 
 ## Next steps
 
