Breadcrumbs

Generic Token Authentication for Media Types

Overview

Some external CDNs or media platforms (e.g. SCORM CDN, Brightcove, or customer-specific platforms) require token-based access to media resources. To access protected media, the delivery system (LMS/portal) must attach a valid token (e.g. JWT or custom token) to each request.

The Generic Token Authentication for Media Types feature allows you to:

  • Configure token generation generically on media type level

  • Integrate with different external token endpoints

  • Forward tokens via HTTP header or cookie

  • Reuse the same mechanism across multiple media types and multiple identity providers (IdPs)

This significantly reduces the need for custom, project-specific token implementations.


Use Cases & Benefits

Typical Use Cases

  • Protected streaming or download endpoints
    Media content is hosted on an external CDN or media platform that only accepts requests with a valid token (e.g. signed URL token, JWT). The LMS/portal must fetch or generate this token per request.

  • Multiple identity providers (IdPs)
    The same content must be accessible through different IdPs (e.g. corporate IdP, partner IdP). The token generation logic needs to be flexible enough to integrate with several external identity or token services.

  • Reuse across media types
    Token-based access is needed for different media types (e.g. streaming video, downloadable files, SCORM-like content). Instead of implementing token logic individually per integration, token handling can be configured once and reused.

Business Benefits

  • Reduced custom development
    No need to build a dedicated token mechanism for every new media integration or customer. The generic token configuration can be reused.

  • Lower maintenance effort
    When token endpoints, formats, or rules change on the external system, you adjust the configuration/connector instead of reworking multiple custom integrations.

  • Consistent security model
    You can enforce a uniform approach to token-based access across all supported media types.

Functional Description

High-Level Concept

For supported media types (Metatag “Token Generation Provider”, ID
12077), you can configure a token generation and forwarding setup with the following properties:

  • Endpoint URL
    The URL of the external token provider (e.g. Apple token service, CDN token endpoint, IdP API) that issues the token.

  • Connector class
    A configurable connector implementation that:

    • Calls the external endpoint

    • Handles authentication to that endpoint (e.g. credentials, client certificates, OAuth – depending on implementation)

    • Maps the response into the token format expected by the media delivery request

    • Optionally interprets request context (user, course, content item, etc.) if supported by the connector

  • Token forwarding method
    Defines how the token is attached to the outgoing request to the media resource:

    • Header – token is sent in a specific HTTP header

    • Cookie – token is set as an HTTP cookie

  • Token name
    The technical name used when forwarding the token:

    • For header: header name (e.g. Authorization, X-Access-Token)

    • For cookie: cookie name (e.g. auth_token)

At runtime, when a learner accesses a protected media object:

  1. The system identifies that this media type requires token authentication.

  2. The configured connector calls the external Endpoint URL.

  3. The connector receives/generates the token.

  4. The system forwards the token to the media endpoint as:

    • HTTP header, or

    • Cookie
      using the configured name.

  5. The external platform validates the token and either grants or denies access to the media.