Description of authzurl and interaction with laurl unclear #22
Description
I'm confused by the description of the authzurl element and its interaction with the laurl element in Draft-DASH-IF-IOPv5.1.0-Part6-for-Community-Review.pdf.pdf.
-
Is the player expected to just make an HTTP GET request to the authzurl?
Is anything expected or permitted to be added to the authzurl, either as query arguments or as HTTP headers?
A literal interpretation would have all players that receive the same manifest making the same request to the same URL. If that is correct then it would seem the only information that the authorization server could access in order to decide whether to return a result would be the user agent (which is insecure), geolocation information and perhaps a TLS client certificate. -
Is the token just the return value of the HTTP GET request? Is it necessary to say anything about encoding of the token? If the authorization server decides not to authorize access, what should it return? Blank? A non-blank invalid token? Using the token with the laurl may need a name-value pair and not just a value (see below).
-
Depending on the answers to the previous questions, if someone has the URL of the manifest then it's unclear how this step adds any more security relative to just including the authorization token directly in the laurl. Is authzurl intended to have any security benefits? Is it intended to have operational benefits?
-
How is the token returned from authzurl appended to the laurl? The two normal mechanisms are either a query argument or an HTTP header but there's no way to indicate if one is preferred over the other and both are name-value pairs in some form (see above).
I feel I must be missing something (or indeed several things) but what? Hopefully it is just some context.