Mosaic products documentation: Concepts, API Reference, Technical articles, How-to, Downloads and tools

Signing License Service Message

It is not difficult to create an Entitlement Message. It is a JSON structure fully described in Axinom DRM Documentation.

To use an entitlement message with a license request, you need to wrap the entitlement message into a License Service Message and then create and sign the resulting JWT.

This article demonstrates how to do this in different programming languages.

Communication Key

To sign the JWT you will need an Axinom DRM Communication Key (ID and the value, both are GUIDs). You get one when you request your Axinom DRM configuration. You can create additional Communication Keys using License Service Management API.

The values below are just examples:

const communicationKeyId = "69e54088-e9e0-4530-8c1a-1eb6dcd0d14e";
const communicationKeyAsBase64 = "SGEpLQJ+JpeRCTMn5izu/b6kiaTH5aSXTMkEuED9fA8=";
Note
Communication Key displayed in the DRM configuration on the Portal or provided in a configuration PDF-file is in the base64 format.

Entitlement Message and License Service Message

For all examples below you need to create an Entitlement Message first and nest it into a License Service Message. Both are JSON structures, such as the ones below:

const keyId = "7459975d-b2f8-48ed-a325-56e4f34d19c7";

const entitlementMessage = {
    "type": "entitlement_message",
    "version": 2,
    "content_keys_source": {
        "inline": [
            {
                "id": keyId
            }
        ]
    }
}

const licenseServiceMessage = {
  "version": 1,
  "com_key_id": communicationKeyId,
  "message": entitlementMessage
}

Entitlement Message Tool

The easiest way to create and sign a License Service Message is to use Axinom’s Entitlement Message Tool.

Implementation in different languages

In all examples below jwtAsString is the resulting token which you can append to DRM license requests.

JavaScript (Node.js)

const jwt = require("jsonwebtoken");
...
let communicationKey = Buffer.from(communicationKeyAsBase64, "base64");
let jwtAsString = jwt.sign(licenseServiceMessage, communicationKey, {
    "algorithm": "HS256",
    "noTimestamp": true
});

Python

import jwt
import base64
...
communicationKey = base64.b64decode(communicationKeyAsBase64)
jwtAsString = jwt.encode(payload=licenseServiceMessage, key=communicationKey, algorithm='HS256')

PHP

use Firebase\JWT\JWT;
...
$communicationKey = base64_decode($communicationKeyAsBase64);
$jwtPayload = json_decode($licenseServiceMessage);
$jwtAsString = JWT::encode($jwtPayload, $communicationKey, 'HS256');

C#

using System.IdentityModel.Tokens.Jwt;
using Microsoft.IdentityModel.Tokens;
...

var jwtPayload = JwtPayload.Deserialize(licenseServiceMessage);
var communicationKey = Convert.FromBase64String(communicationKeyAsBase64);
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(communicationKey), "HS256");
var jwt = new JwtSecurityToken(new JwtHeader(signingCredentials), jwtPayload);
var jwtAsString = new JwtSecurityTokenHandler().WriteToken(jwt);

Rust

use jsonwebtoken::{encode, Algorithm, EncodingKey, Header};
...

let jwtAsString = encode(
    &Header::new(Algorithm::HS256),
    &licenseServiceMessage,
    &EncodingKey::from_base64_secret(communicationKeyAsBase64).unwrap(),
).unwrap();

Go

import (
	"encoding/base64"
	"github.com/golang-jwt/jwt"
)
...

// licenseServiceMessage should be a Go structure corresponding to the JSON object above

token := jwt.NewWithClaims(jwt.SigningMethodHS256, licenseServiceMessage)
communicationKey, _ := base64.StdEncoding.DecodeString(communicationKeyAsBase64)
jwtAsString, _ := token.SignedString(communicationKey)

C++

#include "jwt-cpp/jwt.h"
#include "cpp-base64/base64.cpp"
...
string communicationKey = base64_decode(communicationKeyAsBase64, false);
string jwtAsString = jwt::create().set_type("JWT").set_payload_claim("licenseServiceMessage", licenseServiceMessage).sign(jwt::algorithm::hs256(communicationKey));

JavaScript (Client-side)

This code shows how to calculate the HMAC-SHA256 without specific JWT library, with some generic cryptographic library, in this case with the old but gold Google’s CryptoJS. This exact code is used by this Portal’s tools area, e.g by JWT-tool.

Warning
Never use the communication key on the client side in the end-user’s browser - for security reasons. Therefore, this sample has only limited usage. Use this approach only for fast prototyping/testing or in some admin-console UI logic.
<script
    src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js"></script>
...
 var getToken = function (licenseServiceMessage , communicationKeyAsBase64) {

    //The licenseServiceMessage input can be of type JSON string or JSON object
    var licenseServiceMessageAsString = typeof licenseServiceMessage !== "string"
        ? JSON.stringify(licenseServiceMessage)
        : licenseServiceMessage;

    //Header
    var header_b64_f = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'; //constant

    //Payload
    var payload_b64 = CryptoJS.enc.Base64
        .stringify(CryptoJS.enc.Utf8.parse(licenseServiceMessageAsString));
    var payload_b64_f = payload_b64
        .replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_');

    //Signature
    var secret_b64 = CryptoJS.enc.Base64.parse(communicationKeyAsBase64);
    var hmacsha256 = CryptoJS.HmacSHA256(header_b64_f + '.' + payload_b64_f, secret_b64);
    var hmacsha256_b64 = CryptoJS.enc.Base64.stringify(hmacsha256);
    var hmacsha256_b64_f = hmacsha256_b64
        .replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_');

    //Return header.payload.signature JWT string aka license-token
    return header_b64_f + "." + payload_b64_f + "." + hmacsha256_b64_f;
}