Use an OpenID to retrieve Primary Verification Key

Using MK.IO, you can delegate the authentication process to an external identity provider. This is all done through OpenID Connect. OpenID Connect, popularly abbreviated as OIDC, is a protocol that enables different types of applications to support authentication and identity management in a secure, centralized, and standardized way.

MK.IO will need you to add the openIdConnectDiscoveryDocument field that will point to the OpenId discovery document. In this case, the keyValue of the primaryVerificationKey can be left empty.

Below is a sample curl request doing just that with a simple Widevine DRM:

curl --request PUT \
     --url \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-mkio-token: " token" \
     --data '
    "properties": {
        "options": [
                "restriction": {
                    "issuer": "issuer",
                    "audience": "audience",
                    "@odata.type": "#Microsoft.Media.ContentKeyPolicyTokenRestriction",
                    "restrictionTokenType": "Jwt",
                    "primaryVerificationKey": {
                        "@odata.type": "#Microsoft.Media.ContentKeyPolicySymmetricTokenKey",
                        "keyValue": ""                      
                    "openIdConnectDiscoveryDocument": "https://{host_url}/.well-known/OpenIdConfiguration
                "configuration": {
                    "@odata.type": "#Microsoft.Media.ContentKeyPolicyWidevineConfiguration",
                    "widevineTemplate": "{}"

MK.IO will then retrieve the proper JWT token and extract the primaryVerificationKey to use for this content key policy.

The content key policy can then be used when preparing the asset for streaming in the Stream Live and VOD assets section