I know this question has been asked before:
Vimeo - Sending password via javascript api
Show password protected Vimeo video without password
How to embed a password protected video by sending password through vimeo GET API 3 c#
But an year or more has passed since each question was asked and we are hoping Vimeo might have improved things/API as multiple users seem to be having the same requirement.
We are evaluating Vimeo for a client's video hosting needs and everything seems perfect and in-place. We will be doing custom integration and hence would be using their API as well as Player SDK to embed Vimeo videos into our portal.
However there's only one missing link we are trying to figure out:
Vimeo allows a video to be unlisted from vimeo.com and only shown in whitelisted domains; which is perfect. We would be using this feature.
However Vimeo further allows videos to be password protected. But when playing via the Player SDK, Vimeo always prompts the user for password which basically defeats the whole purpose of password protection. We have paid content videos and if we share password with one user; there's nothing preventing the user from distributing the password further.
The answers provided on questions above suggest making the videos private and show only on whitelisted domains. But won't the same be subject to header spoofing attacks?
I would have assumed Vimeo's oEmbed API would have enabled us to sending the password for the video from our server and then vimeo returns a one-time playback link for the video which we could have rendered on the web using the Vimeo's Player SDK. Thus providing even better protection for paid content/commercial videos.
However I see no such option being mentioned in the Player SDK/oEmbed API docs.
So is anyone aware of an option where a Vimeo password-protected video can be embedded on the page of a whitelisted domain and the password transparently shared with Vimeo by our server so the user does not need to input the password in the video itself?
The answer to below would give you a clear picture :
I would have assumed Vimeo's oEmbed API ...
Once you have whitelisted the domain or an Ip address, that computer or server is allowed to access resources, below request is taking your IP or domain to Vimeo, checking as per whitelist rule and return the required JSON that has everything most important is html that has a secured URL
https://vimeo.com/api/oembed.json?url=https://vimeo.com/videso/45215485
this is barrier based, would return you below JSON:
{
"type": "video",
"version": "1.0",
"provider_name": "Vimeo",
"provider_url": "https://vimeo.com/",
"title": "ReflectionVOID",
"author_name": "Page Films",
"author_url": "https://vimeo.com/pagefilms",
"is_plus": "1",
"html": "<iframe src=\"https://player.vimeo.com/video/204420014\" width=\"640\" height=\"272\" frameborder=\"0\" title=\"ReflectionVOID\" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>",
"width": 640,
"height": 272,
"duration": 345,
"description": "",
"thumbnail_url": "https://i.vimeocdn.com/video/621081707_640.jpg",
"thumbnail_width": 640,
"thumbnail_height": 272,
"thumbnail_url_with_play_button": "https://i.vimeocdn.com/filter/overlay?src0=https%3A%2F%2Fi.vimeocdn.com%2Fvideo%2F621081707_640.jpg&src1=http%3A%2F%2Ff.vimeocdn.com%2Fp%2Fimages%2Fcrawler_play.png",
"upload_date": "2017-02-16 15:03:43",
"video_id": 204420014,
"uri": "/videos/204420014"
}
That's what I just have concluded.
Related
i want to access the vimeo stats with the vimeo API to automatically get a list of the most viewed videos.
i am trying to access https://api.vimeo.com/me/videos/stats with an access token, but i get the following error.
{
"error": "Your access token does not have the \"stats\" scope"
}
is it not possibile to access the stats using the API, because i can't find a scope named "stats"? it only works from the stats admin page where i can download the stats export as an csv.
i read in a post from over a year ago that the stats api is not available yet, does anyone know if this is still the case, i could not find anything in the vimeo docs.
Stats are still unavailable via the Vimeo API.
When using the RingCentral Call Log to access call recording audio files, a contentUri is provided in the response.record[x].recording object which points to a binary form of the call audio. The API's Authorization header is still necessary to retrieve this file.
Is it possible to play this back in a web app using a HTML5 audio element so we don't have to host/upload to call audio to our own system. It seems like this would need to avoid using the Authorization header and supply authorization in some other fashion. For example:
<audio src="https://media.ringcentral.com/.../recording/{recordingId}"></audio>
More information on the HTML5 audio element is available here:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/audio
It is possible to playback a RingCentral call recording with using an HTML5 audio element without downloading and hosting the audio file yourself. Authorization is still required so it must be passed using an approach other than the HTTP header.
Two approaches include:
1) Access Token in Query String
You can append the access token to the media URL as a query parameter so you have something like:
<audio
src="https://media.ringcentral.com/.../{recordingId}?access_token=MyToken">
</audio>
A caveat with this approach is that the URL will stop working when the access token expires, typically in one hour or less. This is useful for ephemeral links such as time-sensitive links in a chat stream, however, less so if the link needs to be retrieved later. For that, see the following approach.
2) Access Token in Cookie
If you want a permanent URL that doesn't expire, you can use a proxy service that manages the authentication for you. One way to do this is to use the RingCentral cookie-based Implicit Grant OAuth flow to transmit the access token to the proxy service. This way, when attempting to retrieve a media file via URL (without token), the proxy service can check if the cookie is present and valid. If it isn't, the proxy service can prompt for a successful Implicit Grant login before forwarding to the call recording media file. An example implementation of this is available here:
https://github.com/tylerlong/permalink
I need to add a video player to my website that will play content from video streaming (YouTube Live, Azure Media Services or any streaming services from a hosting company).
The player will be visible only to authenticated users, but as the streaming URL won't change, I needed to hide it from the user (maybe using DNS configuration in my domain or something else).
Do you know a way to protect the streaming URL?
Given the requirement that you do not want people to see the video even if they have gotten the URL (“so people that don't have signed up to my Web seminar won't be able to watch it”), and given that the player is available only to authenticated users, I have a suggestion:
Create a unique URL at your domain for each video stream.
When a user hits the URL of the stream, do the following:
Use your authentication logic to see if the user has permission.
If the user has permission, use a 301 or pass the stream through to the player.
If the user does not have permission, redirect the user to the login page (or whatever).
Repeat.
From experience, once you get much beyond that level of complexity you need to start looking at services that do this as their business model. Otherwise you run the risk of falling into the rabbit hole.
The caveat here is that once the user has the stream, a motivated person can still identify the source URL and do whatever with it.
If you want to protect your content, you have to encrypt it and decrypt on a fly for authenticated users. Content key for decryption might be associated to specific media content and have expiration. In this case even users who know the streaming uri, have to obtain content key for decryption. You can use clear key encryption or DRM services to archive this scenario. https://azure.microsoft.com/en-us/services/media-services/content-protection/ - contains overview of content protection options in Azure Media Services.
Nothing stops user to open any browser dev tool and copy destination uri if you just masking url by providing redirect.
I am experiencing issues requesting "upload" authorization from Vimeo users OTHER than the user that created/registered the app.
Example:
User-A creates/register's new App-A via the Vimeo developer console. User-B is asked to authorize App-A to upload on their behalf. User-B is redirected to Vimeo authorization UI and sees the following:
This app will enable you to:
Access all of your videos
This app will not allow you to:
Like videos
Update your video info
Upload videos to your account
Delete your videos
Despite specifying scope in the authentication request URL:
https://vimeo.com/oauth/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&locale=en_US&oauth_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fxxxxxxxxxxx.xxxxx.com%2Fapi%2Fauth%2Fvimeo%2Fverify&response_type=code&scope=upload&state={%22sessionId%22%3A%2243a9a9d1a7bd44d5a27d0f91b6185875%22}
BUT...
If I send the same request, but login as User-A instead then:
This app will enable you to:
Access all of your videos
Upload videos to your account
This app will not allow you to:
Like videos
Update your video info
Delete your videos
Am I missing something obvious?
Check the upload permissions you have been granted. If you only have owner permission, you can only request upload scope for the app owner.
If you have additional permissions, they are based on the target users subscription level.
If you think you should still be able to upload, or if you need additional upload permissions you will need to contact vimeo directly at vimeo.com/help/contact
I recently started getting a 'Permission Denied' response from our vimeo album. Everything was working correctly and nothing has changed on the application. Also, I checked and it appears no permissions have changed on the album or included videos in terms of permissions. However, we did change the servers we're hosting our main site on, which resulted in a change of IP addresses but the site URL did not change.
Is it possible that the IP change somehow messed up the request we make to vimeo? I looked in the admin settings on vimeo and didn't see anywhere we needed to specify IP addresses.
Basically, we're doing the following:
$vimeo = new phpVimeo(CONSUMER_KEY, CONSUMER_SECRET);
$vimeo->setToken(OAUTH_TOKEN,OAUTH_TOKEN_SECRET);
// **** GET THE VID DATA FROM VIMEO **** //
$result = $vimeo->call('vimeo.albums.getVideos', array('album_id' => xxxxxxxx,full_response => '1'));
$videos = $result->videos->video;
And, as I said, this was working great for a while. Any ideas on what may have happened? Thanks!
IP address should be irrelevant to the API.
My guess is that your account was part of the Adobe email breach (you should have received an email about this). Vimeo reset some tokens relating to the Adobe email breach to ensure account security.
If you were not part of the breach, you can contact Vimeo directly via https://vimeo.com/help/contact to learn more.