WO2022049601A1 - Method and system for scaling content entitlement checks for a plurality of subscribers - Google Patents

Abstract

A method and system (150) for scaling content entitlement checks for a plurality of subscribers is disclosed. A token (400) embedding information including a token identifier, subscriber metadata and subscription claims is generated subsequent to successful authentication of a subscriber (150). The token (400) is provided to the electronic device (104) of the subscriber (102). A request for a playback URL and the token (400) is received from the electronic device (104) in relation to a selection of a content title. A content entitlement check is performed based on the information embedded within the token (400) to determine an eligibility of the subscriber (102) to access content associated with the content title. The playback URL is provided to the electronic device (104) if the subscriber (102) is deemed to be eligible to access the content. The playback URL facilitates display of the content on the electronic device (104).

Description

METHOD AND SYSTEM FOR SCALING CONTENT ENTITLEMENT CHECKS FOR A PLURALITY OF SUBSCRIBERS Cross-reference to related applications

This application claims priority from Indian provisional patent application 202021038139, filed on September 4, 2020, which is incorporated herein in its entirety by this reference thereto.

The present technology generally relates to delivery of media content to a plurality of users by Over-The-Top (OTT) streaming content providers and, more particularly, to a method and system for scaling entitlement checks performed by the OTT streaming content providers for determining whether each subscriber is eligible to access requested content from the OTT streaming content provider.

Background

On-demand video streaming as well as live streaming of content has gained popularity in recent times and, subscribers are increasingly using a variety of electronic devices to access streaming content. The streaming content is accessed on the electronic devices using Over-The-Top (OTT) media services (i.e. over the Internet). The OTT streaming content providers typically use a Content Delivery Network (CDN) to deliver streaming content to the electronic devices of the subscribers.

Currently, a subscriber accesses a User Interface (UI) of a mobile/web application associated with an OTT streaming content provider using an electronic device, such as a mobile phone, a laptop, a television (TV), and the like. The subscriber then provides a selection of a content title on the UI to request media content to view on the electronic device. A platform associated with the OTT streaming content provider receives the request from the subscriber to access the media content associated with the content title. The platform authenticates the subscriber’s account credentials and, further, performs a check to determine the type of subscription associated with the subscriber and whether the subscription is active or not. Such a check is referred to herein as a ‘content entitlement check’ or simply as an ‘entitlement check’. To perform the entitlement check, the content provider’s platform fetches the information related to the subscriber’s account from a remote server, also known as an entitlement server, and performs a check to determine whether the subscriber is eligible to view the media content or not. Such a check has to be performed for each request for media content and for each subscriber requesting media content from the content provider. As the number of subscribers wishing to view media content offered by the OTT streaming content provider increases exponentially, the content entitlement checks serve as a bottleneck in scaling the processing of content requests from a large number of subscribers. Moreover, a delay attributed to the platform’s communication with the entitlement server adds to the latency in completing subscriber requests for media content, thereby degrading an interaction quality experienced by the subscribers.

Accordingly, there is a need for a mechanism to overcome the bottleneck caused by performing several entitlement checks using a remote entitlement server. Further, it would be advantageous to accelerate content entitlement check for individual subscribers and, thereby offer a superior quality of interaction experience to the subscribers.

In an embodiment of the invention, a method for scaling content entitlement checks for a plurality of subscribers is disclosed. The method receives, by a system, a login request from an electronic device associated with a subscriber. The login request is provided by the subscriber in relation to a subscription account for accessing media content offered by a content provider. The method facilitates, by the system, authentication of login credentials of the subscriber based on the login request. The method generates, by the system, a token subsequent to the successful authentication of the login credentials. The token is embedded with information including a token identifier (ID), subscriber metadata and at least a part of subscription claims associated with the subscription account. The method provides the token along with a confirmation of successful account login to the electronic device by the system, wherein the electronic device is configured to store the token. The method receives, by the system, a request for a playback Uniform Resource Locator (URL) and the token from the electronic device associated with the subscriber. The request for the playback URL is received in relation to a selection of a content title displayed on the electronic device. The method performs, by the system, a content entitlement check based on the information embedded within the token. The content entitlement check is configured to determine an eligibility of the subscriber to access content associated with the content title. The method provides the playback URL to the electronic device, by the system, in response to the request for the playback URL if the subscriber is deemed to be eligible to access the content based on the successful content entitlement check. The playback URL is configured to facilitate display of the content associated with the content title on the electronic device.

In an embodiment of the invention, a system for scaling content entitlement checks for a plurality of subscribers is disclosed. The system includes a memory module and a processing module. The memory module stores instructions, that when executed by the processing module, cause the system to at least receive a login request from an electronic device associated with a subscriber. The login request is provided by the subscriber in relation to a subscription account for accessing media content offered by a content provider. The system facilitates authentication of login credentials of the subscriber based on the login request. The system generates a token subsequent to the successful authentication of the login credentials. The token is embedded with information including a token identifier (ID), subscriber metadata and at least a part of subscription claims associated with the subscription account. The system provides the token along with a confirmation of successful account login to the electronic device, wherein the electronic device is configured to store the token. The system receives a request for a playback Uniform Resource Locator (URL) and the token from the electronic device associated with the subscriber. The request for the playback URL is received in relation to a selection of a content title displayed on the electronic device. The system performs a content entitlement check based on the information embedded within the token. The content entitlement check is configured to determine an eligibility of the subscriber to access content associated with the content title. The system provides the playback URL to the electronic device, by the system, in response to the request for the playback URL if the subscriber is deemed to be eligible to access the content based on the successful content entitlement check. The playback URL is configured to facilitate display of the content associated with the content title on the electronic device.

In an embodiment of the invention, a method for scaling content entitlement checks for a plurality of subscribers is disclosed. The method receives, by a system, a request for a playback Uniform Resource Locator (URL) and a token from an electronic device associated with a subscriber. The request for the playback URL is received in relation to a selection of a content title displayed on the electronic device. The token is embedded with information including a token identifier (ID), subscriber metadata and at least a part of subscription claims associated with a subscription account of the subscriber. The method performs, by the system, a content entitlement check, the content entitlement check including the steps of: (a) performing an integrity check of the token, where the integrity check is configured to determine a tamper status of the token, (b) retrieving the information embedded in the token subsequent to the determination of a negative tamper status during the integrity check of the token, (c) performing a validation check of the information retrieved from the token to validate the token, and (d) determining whether the subscriber is eligible to access the content associated with the content title selected by the subscriber based on the information embedded in the token. The method provides the playback URL to the electronic device, by the system, in response to the request for the playback URL if the subscriber is deemed to be eligible to access the content based on successful content entitlement check. The playback URL is configured to facilitate display of the content associated with the content title on the electronic device.

The advantages and features of the invention will become better understood with reference to the detailed description taken in conjunction with the accompanying drawings, wherein like elements are identified with like symbols, and in which:

Fig.1

shows a representation for illustrating the provisioning of content offered by a streaming content provider to a subscriber, in accordance with an embodiment of the invention;

Fig.2

is a block diagram of a system configured to enable scaling of content entitlement checks for a plurality of subscribers, in accordance with an embodiment of the invention;

Fig.3

is a block diagram illustrating example components of a token module for illustrating generation and processing of a token, in accordance with an embodiment of the invention;

Fig.4

shows a simplified representation of an example token, in accordance with an embodiment of the invention;

Fig.5

shows a simplified representation for illustrating example subscription claims embedded in the token of , in accordance with an embodiment of the invention;

Fig.6

shows a flow diagram for illustrating a process flow executed by the token module of for a content entitlement check, in accordance with an embodiment of the invention;

Fig.7

is a sequence flow diagram for illustrating a process flow for performing a content entitlement check for a subscriber, in accordance with an embodiment of the invention; and

Fig.8

shows a flow diagram of a method for scaling content entitlement checks for a plurality of subscribers, in accordance with an embodiment of the invention;

The drawings referred to in this description are not to be understood as being drawn to scale except if specifically noted, and such drawings are only exemplary in nature.

Detailed Description

The best and other modes for carrying out the present invention are presented in terms of the embodiments, herein depicted in FIGS. 1 to 8. The embodiments are described herein for illustrative purposes and are subject to many variations. It is understood that various omissions and substitutions of equivalents are contemplated as circumstances may suggest or render expedient but are intended to cover the application or implementation without departing from the spirit or scope of the invention. Further, it is to be understood that the phraseology and terminology employed herein are for the purpose of the description and should not be regarded as limiting. Any heading utilized within this description is for convenience only and has no legal or limiting effect.

The terms “a” and “an” herein do not denote a limitation of quantity, but rather denote the presence of at least one of the referenced items.

The term ‘media content’ as used herein primarily refers to any multimedia content, such as streaming video content, which is delivered to a user’s electronic device such as a mobile phone, a personal computer or a television set in response to user’s demand for content. Hereinafter, the term ‘media content’ is also interchangeably referred to as ‘content’ or ‘streaming content’ for purposes of the description.

shows a representation 100 for illustrating the provisioning of content offered by a streaming content provider to a subscriber 102, in accordance with an embodiment of the invention.

The term ‘streaming content provider’ as used herein refers to an owner of digital video content libraries, who offers the video content on a subscription basis by using a digital platform and over-the-top (OTT) media services, i.e. the video content is streamed over the Internet to the electronic devices of the subscribers. A streaming content provider is hereinafter referred to as a ‘content provider’ for ease of description.

The term ‘subscriber’ as used herein implies a user, who has subscribed, i.e. registered to a subscription plan (whether a free subscription plan or a paid subscription plan) from among a plurality of subscription plans for accessing content offered by the content provider. In at least some embodiments, the term ‘subscriber’ may also include one or more users in addition to the individual subscriber, such as for example family members of the subscriber. To that effect, the term ‘subscriber’ as used herein may include one or more users.

The content offered by the content provider may be embodied as streaming video content such as live streaming content or on-demand video streaming content. It is noted that though the content offered by the content provider is explained with reference to video content, the term ‘content’ as used interchangeably herein may not be limited to only video content. Indeed, the term ‘content’ as used herein may include ‘video content’, ‘audio content’, ‘gaming content’, ‘textual content’ and any combination of such content offered in an interactive or non-interactive form. Individuals wishing to view/access the media content may subscribe to at least one type of subscription offered by the content provider.

The provisioning of content to a subscriber in response to the subscriber’s request for accessing such content is explained hereinafter with reference to an illustrative example in . It is noted that the content provider is not shown in . The content provided by the content provider may be cached in one or more content delivery networks (CDNs), such as one or more CDNs from among a plurality of CDNs 180a to 180n shown in . Further, the information related to the CDNs and the availability of the content in those CDNs may be populated in a database 160 shown in .

The representation 100 depicts the subscriber 102 controlling an electronic device 104 for viewing/accessing media content offered by the content provider. The electronic device 104 is depicted to be a smartphone for illustration purposes. It is noted that the subscriber 102 may use one or more electronic devices, such as a television (TV), a laptop, a smartphone, a desktop or a personal computer to view the media content provided by the content provider.

In one illustrative example, the subscriber 102 may access a user interface (UI) of a mobile application or a Web application associated with a content provider by using the electronic device 104. It is understood that the electronic device 104 may be in operative communication with a communication network, such as the Internet, enabled by a network provider, also known as the Internet Service Provider (ISP). One example ISP network is depicted as an ISP network 180 in the representation 100. The electronic device 104 may connect to the ISP network 180 using a wired network, a wireless network, or a combination of wired and wireless networks. Some non-limiting examples of the wired networks may include the Ethernet, the Local Area Network (LAN), a fiber-optic network, and the like. Some non-limiting examples of the wireless networks may include the Wireless LAN (WLAN), cellular networks, Bluetooth or ZigBee networks, and the like. The electronic device 104 may fetch the UI associated with the content provider over the ISP network 180 and cause display of the UI on a display screen of the electronic device 104. In an illustrative example, the UI may include a plurality of content titles corresponding to the media content offered by the content provider to its subscribers.

In an illustrative example, the subscriber 102 may create an account and, as part of the account creation process, select a subscription type from among two or more subscription types offered by the content provider. For example, the subscriber 102 may choose to subscribe to standard/regular content, or, the subscriber 102 may choose to subscribe to premium content offered by the content provider. Once the account is created, the subscriber 102 may enter account credentials to login into the account.

A system 150 associated with the content provider may receive the login request from the electronic device 104 of the subscriber 102. The system 150 is depicted to be in operative communication with a pool of servers 170. The pool of servers 170 is exemplarily depicted to include an authentication server 172, an entitlement server 174, a tokenization server 176 and a secondary content server 178. The pool of servers 170 is depicted to include only four servers for illustration purposes. It is noted that the pool of servers 170 may include more or less number of servers than those depicted in the representation 100. Moreover, each server in the pool of servers 170 may be implemented as a stand-alone server or a distributed server system. For example, the secondary content server 178 may include one or more sub-servers for serving content, such as gaming content, quiz content, advertisement content or any such content, which can be viewed in conjunction with the requested media content selected by a subscriber, such as the subscriber 102.

In one embodiment, the system 150 is configured to extract login information, such as subscriber’s username and password from the login request. Further, the system 150 is also configured to extract information such as a type of electronic device (for example, mobile phone, TV or tablet device) used by the subscriber 102 for requesting the login, the type of login method (for example, Email or Web login), the type of network access (for example, cellular or Wi-Fi) and the like.

The system 150, in conjunction with the authentication server 172, is configured to authenticate the login credentials of the subscriber 102 based on the login information extracted from the login request. Subsequent to the successful completion of the authentication of the login credentials, the system 150 is configured to communicate with the entitlement server 174 and fetch information related to the subscription of the subscriber 102. The information related to the subscription of the subscriber that is fetched from the entitlement server 174 is also referred to herein as ‘subscription claims’. The subscription claims may include information such as a type of subscription (for example, regular or premium subscription), a status of the subscription (i.e. whether the subscription is active or expired), a validity date associated with the subscription, and a set of content access permissions. The term ‘set of content access permissions’ as used herein includes one or more content access permissions that the subscriber 102 is entitled to, based on the subscription of the subscriber 102. The set of content access permissions may also include at least one content access permission related to one or more features subscribed by the subscriber 102 in addition to the subscription associated with the subscription account. The subscription claims and more specifically, the set of content access permissions are explained in further detail with reference to FIGS. 4 and 5.

The system 150 is configured to generate a token and integrate the information related to the subscription of the subscriber 102 in the token. At least a part of information embedded in the token is fetched from the entitlement server 174 as explained above. More specifically, the subscription claims corresponding to the subscriber’s subscription account may be fetched from the entitlement server 174 and embedded along with other information, such as a token identifier (ID) and subscriber metadata, in the token generated in relation to the subscription of the subscriber 102. The information embedded in the token is also referred to hereinafter as ‘subscription related information’ or simply as ‘information’. The integration of the subscription related information in the token may involve encryption of the information prior to the integration within the token. In some embodiments, the information may be subjected to encryption, encoding, compression or any combinations thereof prior to the integration of the information in the token.

Subsequent to the generation of the token, the system 150 is configured to provide the token along with a confirmation of successful account login to the electronic device 104 of the subscriber 102 in response to the subscriber’s login request. The electronic device 104 may thereafter store the token, for example by maintaining a cached copy of the token. The token embedded with the information related to the subscriber’s subscription facilitates content entitlement check, when the subscriber 102 requests access to a content offered by the content provider as will be explained in detail with reference to .

In one illustrative example, the subscriber 102 may select a content title from among the plurality of content titles displayed on the UI of the mobile/web application associated with the content provider. The selection of the content title may trigger a request for a playback uniform resource locator (URL). The request for the playback URL is sent from the electronic device 104 to the system 150 along with the token. As explained above, the token includes subscription related information of the subscriber 102. The transmission of the request for the playback URL and the token from the electronic device 104 to the system 150 is exemplarily depicted using a communication link 106.

In at least one embodiment, the system 150, on receipt of the request for playback URL, is configured to perform an integrity check of the token to determine if the token is tampered with. If the token is not tampered with, the subscription related information of the subscriber 102 is extracted from the token and decrypted. The token and the decrypted information is validated, i.e., checks are performed to confirm that the token is not a blacklisted token and that the information within the token is not altered. Further, additional checks are performed to determine whether the subscriber 102 is eligible to view the content associated with the requested content title based on the subscription related information of the subscriber 102 embedded in the token. The embedded subscription related information in the token may enable the system 150 to perform such a content entitlement check locally without the need to communicate with the entitlement server 174 in most cases (except for some exceptional scenarios, wherein the token or its contents are tampered with). The local content entitlement checks substantially accelerates the content entitlement check process and overcomes the drawback of communicating with a remote entitlement server, such as the entitlement server 174, for each content request from each subscriber.

On successful completion of the content entitlement check, the system 150 is configured to generate a playback URL based, at least in part on a CDN point of presence (PoP) chosen from among PoPs associated with the plurality of CDNs 180a – 180n for serving the subscriber 102 with the requested media content. A CDN point of presence (PoP) may be chosen based on one or more criteria, such as the proximity of the PoP to the subscriber 102 within the subscriber’s home network/peering network, the health of the CDN PoP, the availability of requested content at the PoP, and the like. The system 150 then provides the playback URL to the electronic device 104. The provisioning of the playback URL from the system 150 to the electronic device 104 is exemplarily depicted using a communication link 108.

The electronic device 104 may be configured to generate a Hyper Text Transfer Protocol (HTTP) request using the playback URL and provide the token along with HTTP request to the ISP network 180. The transmission of the HTTP request and the token from the electronic device 104 to the CDN over the ISP network 180 is exemplarily depicted using a communication link 110. The delivery of the content from a CDN, such as the CDN 180a, to the electronic device 104 via the ISP network 180 is exemplarily shown using the communication link 112.

is a block diagram of the system 150 configured to enable scaling of content entitlement checks for a plurality of subscribers, in accordance with an embodiment of the invention. In at least one embodiment, the system 150 corresponds to a digital platform associated with content provider. The digital platform is configured to facilitate provisioning of streaming content, such as live streaming content or video on-demand content, to the plurality of subscribers.

The system 150 is depicted to include a processing module 202, a memory module 204, an input/output (I/O) module 206 and a communication module 208. It is noted that although the system 150 is depicted to include the processing module 202, the memory module 204, the I/O module 206 and the communication module 208, in some embodiments, the system 150 may include more or fewer components than those depicted herein. The various components of the system 150 may be implemented using hardware, software, firmware or any combinations thereof. Further, the various components of the system 150 may be operably coupled with each other. More specifically, various components of the system 150 may be capable of communicating with each other using communication channel media (such as buses, interconnects, etc.). It is also noted that one or more components of the system 150 may be implemented in a single server or a plurality of servers, which are remotely placed from each other.

In one embodiment, the processing module 202 may be embodied as a multi-core processor, a single core processor, or a combination of one or more multi-core processors and one or more single core processors. For example, the processing module 202 may be embodied as one or more of various processing devices, such as a coprocessor, a microprocessor, a controller, a digital signal processor (DSP), a processing circuitry with or without an accompanying DSP, or various other processing devices including integrated circuits such as, for example, an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a microcontroller unit (MCU), a hardware accelerator, a special-purpose computer chip, or the like. In one embodiment, the memory module 204 is capable of storing machine executable instructions, referred to herein as platform instructions 218. Further, the processing module 202 is capable of executing the instructions stored in the memory module 204, i.e., the processing module 202 is capable of executing the platform instructions 218. In an embodiment, the processing module 202 may be configured to execute hard-coded functionality. In an embodiment, the processing module 202 is embodied as an executor of software instructions, wherein the instructions may specifically configure the processing module 202 to perform the algorithms and/or operations described herein when the instructions are executed. The processing module 202 is depicted to include a token module 210 and a playback composite 212.

The memory module 204 stores instructions/code configured to be used by the processing module 202, or more specifically by the various modules of the processing module 202 such as the token module 210 and the playback composite 212 to perform respective functionalities, as will be explained in detail with reference to FIGS. 2 to 6. The memory module 204 may be embodied as one or more non-volatile memory devices, one or more volatile memory devices and/or a combination of one or more volatile memory devices and non-volatile memory devices. For example, the memory module 204 may be embodied as semiconductor memories, such as flash memory, mask ROM, PROM (programmable ROM), EPROM (erasable PROM), RAM (random access memory), etc. and the like.

In an embodiment, the I/O module 206 may include mechanisms configured to receive inputs from and provide outputs to an operator of the system 150. The term ‘operator of the system 150’ as used herein may refer to one or more individuals, whether directly or indirectly, associated with managing digital OTT platform on behalf of the content provider. To enable reception of inputs and provide outputs to the system 150, the I/O module 206 may include at least one input interface and/or at least one output interface. Examples of the input interface may include, but are not limited to, a keyboard, a mouse, a joystick, a keypad, a touch screen, soft keys, a microphone, and the like. Examples of the output interface may include, but are not limited to, a display such as a light emitting diode display, a thin-film transistor (TFT) display, a liquid crystal display, an active-matrix organic light-emitting diode (AMOLED) display, a microphone, a speaker, a ringer, and the like.

In an example embodiment, at least one module of the system 150 may include I/O circuitry (not shown in ) configured to control at least some functions of one or more elements of the I/O module 206, such as, for example, a speaker, a microphone, a display, and/or the like. The module of the system 150 and/or the I/O circuitry may be configured to control one or more functions of the one or more elements of the I/O module 206 through computer program instructions, for example, software and/or firmware, stored on a memory, for example, the memory module 204, and/or the like, accessible to the modules of the system 150.

The communication module 208 is configured to facilitate communication between the system 150 and one or more remote entities over a communication network. For example, the communication module 208 is capable of facilitating communication with electronic devices of subscribers, with ISPs, with edge servers associated with CDNs, with content ingestion servers, and the like.

The system 150 is depicted to be in operative communication with a database 160. The database 160 is any computer-operated hardware suitable for storing and/or retrieving data. In one embodiment, the database 160 is configured to store information such as a database of network Autonomous System Numbers (ASN) and IP addresses (also referred to herein as ASN/IP pool), a database of blacklisted token IDs, a CDN-content map, heartbeat information received from subscriber electronic devices, hostnames for playback URLs, and the like. The database 160 may include multiple storage units such as hard disks and/or solid-state disks in a redundant array of inexpensive disks (RAID) configuration. In some embodiments, the database 160 may include a storage area network (SAN) and/or a network attached storage (NAS) system. In one embodiment, the database 160 may correspond to a distributed storage system, wherein individual databases are configured to store custom information, such as routing policies, ASN/IP pool, blacklisted token IDs, etc.

In some embodiments, the database 160 is integrated within the system 150. For example, the system 150 may include one or more hard disk drives as the database 160. In other embodiments, the database 160 is external to the system 150 and may be accessed by the system 150 using a storage interface (not shown in ). The storage interface is any component capable of providing the processing module 202 with access to the database 160. The storage interface may include, for example, an Advanced Technology Attachment (ATA) adapter, a Serial ATA (SATA) adapter, a Small Computer System Interface (SCSI) adapter, a RAID controller, a SAN adapter, a network adapter, and/or any component providing the processing module 202 with access to the database 160.

As explained with reference to , the subscriber 102 may create an account and, as part of the account creation process, select a subscription type from among two or more subscription types offered by the content provider. Once the account is created, the subscriber 102 may enter login credentials to login into the account.

As explained with reference to , the system 150 may receive the login request from the electronic device 104 of the subscriber 102. The system 150 may use the communication module 208 to receive the login request from the electronic device 104. The login request is forwarded to the processing module 202. In at least one embodiment, the token module 210 within the processing module 202 is configured to receive the login request. The token module 210, in conjunction with an authentication server (not shown in ), may authenticate the login credentials of the subscriber 102. Subsequent to the successful completion of the authentication of the login credentials, the token module 210 is configured to generate a token. The generation and the processing of the token is explained next with reference to FIGS. 3 and 4.

Referring now to , is a block diagram 300 for illustrating example components of the token module 210 for illustrating generation and processing of a token, in accordance with an embodiment of the invention. The token module 210 is depicted to include a token generation module 302, a token validation module 304 and a token verification module 306.

The token generation module 302 is configured to receive the login request from the electronic device 104 of the subscriber 102 (shown in ). The token generation module 302 is depicted to be in operative communication with one or more servers from the pool of servers 170 (shown in ), such as the authentication server 172 and the entitlement server 174. The token generation module 302 is configured to extract login information, such as subscriber’s login credentials from the login request and provide the extracted login information, such as the username and password of the subscriber 102 to the authentication server 172 to authenticate the subscriber 102. The authentication server 172 may use at least one of several authentication modes to perform subscriber authentication. For example, the authentication server 172 may verify the subscriber’s login credentials and thereafter use one or more authentication modes from among a Short Message Service (SMS), an Interactive Voice Response System (IVRS), a social media account and an electronic mail (E-mail) account to authenticate a personal identity of the subscriber 102. For example, the authentication server 172 may send a One-Time Password (OTP) via SMS to a registered phone number of the subscriber 102 and request the subscriber 102 to enter the OTP on the UI of the mobile/web application associated with the content provider. Alternatively, the authentication server 172 may send a Web link/URL to the subscriber’s registered Email account (i.e. email address) and request the subscriber 102 to select the Web link/URL to authenticate the personal identity of the subscriber 102.

On successful completion of the authentication, the token generation module 302 is configured to communicate with the entitlement server 174 and fetch information related to the subscription of the subscriber 102. As explained with reference to , the information related to the subscription of the subscriber that is fetched from the entitlement server 174 is also referred to herein as ‘subscription claims’. The subscription claims may include information such as a type of subscription (for example, regular or premium subscription), a status of the subscription (i.e. whether the subscription is active or expired), a validity date associated with the subscription, and a set of content access permissions. The set of content access permissions includes one or more content access permissions that the subscriber 102 is entitled to, based on the subscription of the subscriber 102. The set of content access permissions may also include at least one content access permission related to one or more features subscribed by the subscriber 102 in addition to the subscription associated with the subscription account.

The token generation module 302 is configured to generate a token. The token may be embodied as a JSON Web Token (JWT) protected using hash-based message authentication code (HMAC) to protect the contents of the JWT. The token generation module 302 is further configured to embed/integrate the subscription claims fetched from the entitlement server 174 along with other information such as token identifier (ID) and subscriber metadata in the token. The token identifier, the subscriber metadata and the subscription claims are collectively referred to as ‘information’ that is embedded or integrated in the token. The integration of the information in the token may involve encryption of the information prior to integrating the information in the token. In some embodiments, the information may be subjected to encryption, encoding, compression or any combinations thereof prior to the integration of the information in the token. A simplified representation of the token generated by the token generation module 302 is shown in .

Referring now to , a simplified representation of an example token 400 generated by the token generation module 302 is shown in accordance with an embodiment of the invention. As explained with reference to , the token generation module 302 is configured to generate a token subsequent to the successful completion of the authentication of the subscriber’s login credentials. The generated token includes embedded information, such as the token ID, subscriber metadata and subscription claims. Accordingly, the token 400 is exemplarily depicted to include three information types 402, 404 and 406 associated with text ‘Token ID’, ‘Subscriber Metadata’ and ‘Subscription Claims’, respectively. It is noted that only a simplified representation of the token 400 is depicted in . The token 400 may include fewer or more number of information types than those depicted in . Moreover, the information types may also be different than those depicted in .

The token ID 402 is configured to include a token identification number, which uniquely identifies the token 400. The subscriber metadata 404 includes information related to the subscriber 102, such as the subscriber’s name, email address, and such other subscriber personal information. The subscriber metadata 404 also includes information extracted from the subscriber’s login request, such as the type of electronic device (for example, mobile phone, TV or tablet device) used by the subscriber 102 for requesting the login, the type of login method (Email or Web login), type of network access (cellular or Wi-Fi), subscriber location, and the like.

The subscription claims 406 integrated in the token 400 include information related to the content entitlement that subscriber 102 is eligible for, given the type of subscription of the subscriber 102. For example, the subscription claims 406 include information related to a type of subscription (whether regular or premium), a current status of the subscription (i.e. whether the subscription is active or not), a validity date of the subscription (for example, till what time period the subscription is valid) and a plurality of content access permissions (hereinafter interchangeably referred to as ‘set of content access permissions’) that are associated with the subscriber’s subscription. In an illustrative example, a regular subscription may allow subscribers to access only local/regional content and language dubbed versions of the local/regional content, whereas a premium subscription may allow subscribers to additionally access content sourced from international locations and/or content in English and other foreign languages. Accordingly, the content access permissions may include one or more permissions related to what type of content can be accessed in relation to the subscription type associated with the subscriber’s account. Further, the current location of the subscriber 102 may also determine what content can be accessed by the subscriber 102. For example, a premium subscriber may not be entitled to view certain types of subscribed content in certain countries and, accordingly, the set of content access permissions may include permissions related to content allowed to be accessed based on location. Furthermore, the subscriber 102 may have subscribed to additional features over and above the subscription associated with the subscriber’s account. For example, the subscriber 102 may have paid for availing additional features, such as ad-free content, game scorecard including rich information, Dolby stereo sound content, 4K resolution content, and the like. Accordingly, the set of content access permissions may include at least one permission related to one or more features that are subscribed by the subscriber 102 in addition to the subscription associated with the subscription account. It is noted that type of information integrated in the token 400 may not be limited to examples explained herein, and, indeed the token 400 may be configured to include a variety of information related to the subscription of the subscriber 102. A representation of example content access permissions included as part of subscription claims 406 in the token 400 is shown in .

Referring now to , a simplified representation 500 is shown for illustrating example subscription claims 406 embedded in the token 400 of , in accordance with an embodiment of the invention. As explained with reference to , the subscription claims 406 (shown in ) include information related to a type of subscription (whether regular or premium), a current status of the subscription (i.e. whether the subscription is active or not), a validity date of the subscription (for example, till what time period the subscription is valid) and a plurality of content access permissions that are associated with the subscriber’s subscription. As an example, a simplified representation of the subscription claims is shown in the representation 500.

The representation 500 is depicted to include information related to a subscription type 502 which is exemplarily depicted as ‘REGULAR’, a subscription status 504 which is exemplarily depicted as ‘ACTIVE’, a subscription validity date 506 which is exemplarily depicted as ‘27 August 2022’ and a plurality of content access permissions 508 which is exemplarily depicted as a list labeled under a title ‘SET OF CONTENT ACCESS PERMISSIONS’. The set of content access permissions include a list of actions and each action is associated with a permission status chosen from one among ‘PERMITTED’, ‘RESTRICTED’ and ‘PARENTAL CONTROL’. For example, an action related to accessing content in regional language, accessing reviews, providing ratings, accessing trailers, accessing English subtitles, change viewing preferences, etc. are permitted. Similarly, the actions related to accessing Dolby stereo surround sound, accessing English language content, watching Ad-free content, etc. are restricted. Some actions such as accessing adult content, gaming content, and the like, are depicted to be permitted with parental control. It is noted that if the subscriber 102 (shown in ) has subscribed to additional features over the ‘regular’ subscription, such as to Ad free content or 4K resolution content, then such actions may be associated with permitted status in the subscription claims. Alternatively or additionally, if the subscriber 102 switches to ‘premium subscription’, then actions such as accessing English language content or Dolby surround sound content may be associated with a permitted status in the subscription claims.

In some scenarios, if an overall number of actions within the set of content access permissions is large, then a size of the subscription claims fetched from the entitlement server 174 may be large and it may not be feasible to integrate all the subscription claims in the token 400 as this may exceed a predefined threshold size of the token (for example, a predefined size in KB or MB). To address this, the token generation module 302 may be configured to segregate the set of content access permissions within the subscription claims into a critical set of access permissions, i.e. actions associated with primary content access, and a non-critical set of access permissions, i.e. actions related to subscriber requests for making changes to viewing preferences, adding features, etc. Thereafter, the token generation module 302 may integrate only the critical set of access permissions in the token 400 along with other non-content access related information, such as the type of subscription, status of the subscription and a validity date of the subscription. More specifically, the token generation module 302 may skip integrating the non-critical set of access permissions in the token 400. It is noted that the non-critical set of access permissions may still be available for access in the entitlement server 174.

As explained with reference to , the token ID 402, the subscriber metadata 404 and the subscription claims 406 may be subjected to processing in the form of encryption, encoding and/or compression prior to the integration of such information in the token 400.

Referring back to , subsequent to the generation of a token, such as the token 400 explained with reference to by the token generation module 302, the token module 210 of the system 150 is configured to provide the token along with a confirmation of successful account login to the electronic device 104 of the subscriber 102 in response to the subscriber’s login request. The electronic device 104 may thereafter store the token, e.g., maintain a cached copy of the token in a local device storage.

In one illustrative scenario, subsequent to the successful login, a plurality of content titles may be displayed on a UI of a mobile/web application associated with the content provider on a display screen associated with the electronic device 104 of the subscriber 102. The subscriber 102 may click on a content title displayed on the UI. The selection on the content title may trigger a request for a playback URL from the subscriber’s electronic device 104 to the system 150. The request for the playback URL is sent from the electronic device 104 to the system 150 along with the token. As explained above, the token includes subscription related information of the subscriber 102.

The token module 210 is configured to receive the token 400 provided by the electronic device 104 of the subscriber 102. The token validation module 304 in the token module 210 is configured to perform one or more checks, such as an integrity check 308, a shallow check 310 and a deep check 312, as part of a content entitlement check, as will be explained in detail hereinafter.

In at least one embodiment, the token validation module 304 is configured to perform the integrity check 308 to determine if the token 400 is tampered or not. As explained with reference to , the token may be embodied as JWT and protected using HMAC. In at least some embodiments, the HMAC credentials may be checked to determine whether the token has been tampered with or not. If the integrity check 308 returns a positive tamper status, i.e. token 400 fails the integrity check 308, i.e. if it is determined that the token has been tampered with, then the token validation module 304 is configured to perform the content entitlement check based on the information stored in the entitlement server 174. More specifically, the token validation module 304 may extract the content title and subscriber login credentials from the request for the playback URL. The extracted content title and the subscriber login credentials are used to run a check in the entitlement server 174, which stores the subscription claims corresponding to the subscriber’s subscription account.

If the integrity check 308 returns a negative tamper status, i.e., that is if it is determined that the token 400 has not been tampered with, then the token validation module 304 is configured to perform the content entitlement check locally, i.e., the content entitlement check is performed without the need to communicate with the entitlement server 174. Subsequent to the determination of a negative tamper status during the integrity check 308 of the token 400, the token validation module 304 is configured to retrieve the information embedded in the token (for example, by decrypting the information) and perform a validation check of the information. The validation of the information embedded in the token may first involve analyzing the request for the playback URL and determining whether the subscriber 102 is seeking to view/access media content or perform a non-content access related action. Some non-limiting examples of non-content access related actions may include accessing other subscriber reviews, accessing information related to the content titles and not a specific content title, etc. If the subscriber 102 is desirous of performing a non-content access related action, then the token validation module 304 performs the shallow check 310, i.e. the token validation module 304 is configured to ascertain whether the subscriber 102 is eligible to perform the non-content access related action based on the subscription claims. More specifically, the token validation module 304 determines whether the permissions included in the set of content access permissions allow the non-content access related action requested by the subscriber 102 or not. If such an action is allowed based on permissions entitled to the subscriber 102, then the token 400 is considered to be validated. However, if the subscriber 102 is desirous of performing a content access related action, then the token validation module 304 is configured to perform the deep check 312.

In the deep check 312, the token validation module 304 is configured to first determine if individual information pieces integrated in the token are not tampered with. In one illustrative example, individual information pieces such as the token ID, the subscriber metadata and/or individual content access permissions may be encoded with parity to facilitate determination of whether the individual information pieces were tampered or not. As part of the deep check 312, the token validation module 304 is also configured to compare the token ID with entries in the blacklisted token ID database to determine if the token is a blacklisted token ID i.e. a token ID that is barred from accessing content because of potential security risks or for concerns related to unauthorized access. If the individual content pieces in the token are found to be tampered with or if the token ID is determined to be a blacklisted token ID, then the token validation module 304 may be configured to perform a verification of the information accuracy (i.e. confirm the validity of the information) by comparing the information retrieved from the token with the information stored in the entitlement server 174. If the result of the verification is a failure, then the subscriber’s access to content is blocked and an appropriate message is caused to be displayed on the electronic device 104 of the subscriber 102. However, if the individual content pieces in the token are not found to be tampered with and if the token ID is not a blacklisted token ID, then the token validation module 304 is configured to deem the token as validated.

Once the token validation is completed by the token validation module 304, the token is forwarded to the token verification module 306. It is noted that only those tokens, which have cleared the token validation check are forwarded by the token validation module 304 to the token verification module 306. The token verification module 306 is configured to use the information related to the various form fields in the token to perform an entitlement check for the subscriber, i.e. determine whether the subscriber 102 is eligible to view the content requested by the subscriber 102. In at least some embodiments, the token verification module 306 is configured to extract a network ASN from the request for playback URL. The token verification module 306 then compares the extracted ASN with entries in the ASN/IP pool in the database 160 to determine the telecom operator/ISP associated with the subscriber 102. The token verification module 306 is further configured to check whether the telecom operator/ISP is a registered partner of the content provider. Such a check is also referred to herein as a ‘partner check’. If the result of the partner check is a success, i.e. if the subscriber 102 is using a partner ISP network for viewing content provided by the content provider, then for certain predefined types of content, such as freemium content (i.e., content offered for free), the entitlement check for the subscriber 102 is skipped. However, if the subscriber 102 is using a partner ISP network for viewing content provided by the content provider and if the subscriber 102 is requesting access to a non-freemium content, i.e. content not offered as free content and content for which the subscribers are asked to pay for, the token verification module 306 is configured to perform the entitlement check, which may involve checking the request for the content title against the list of permitted actions in the subscription claims embedded in the token to determine whether the subscriber 102 is eligible to view the content requested by the subscriber 102 or not. As all the required information for performing the entitlement check, such as the subscription type, subscription status, the validity and the claims are included within the token, the token module 210 (i.e. the system 150) does not need to communicate with the entitlement server 174 to perform the entitlement check. As the entitlement check can be performed locally on account of integrating subscription related information in the token itself, the entitlement check process is substantially accelerated. Moreover, the entitlement check is not performed for subscribers, whose tokens have expired or whose tokens are blacklisted. Moreover, the entitlement check is also skipped for subscribers using partner networks and who seek to access certain types of content. On account of integration of the subscription related information in the token (which precludes the need to communicate with a remote entitlement server) and the execution of selective entitlement checks, the system 150 is able to scale the content entitlement check process to a large number of subscribers. A process flow executed by the various modules of the token module 210 for performing content entitlement checks is explained next with reference to .

shows a flow diagram for illustrating a process flow 600 executed by the token module 210 for performing a content entitlement check, in accordance with an embodiment of the invention. The process flow starts at 602.

At 602 of the process flow 600, the token module 210 receives a request for the playback URL and a token.

At 604 of the process flow 600, an integrity check of the token is performed by the token module 210. More specifically, the token validation module 304 is configured to check if the token is tampered or not. For example, the HMAC credentials of the JWT may be checked to determine whether the token has been tampered with or not.

At 606 of the process flow 600, it is determined whether the integrity check returns a negative tamper status, i.e. the token is not tampered with. If the negative tamper status is not returned, i.e., the integrity check of the token returns a fail status implying that the token is tampered with, then 608 is performed. At 608, the content entitlement check is performed using the information stored in an entitlement server, such as the entitlement server 174, and the process flow 600 for content entitlement check ends at 608.

If a negative tamper status is returned at 606, i.e. the integrity check of the token returns a success status implying that the token is not tampered with, then 610 is performed. At 610, it is determined whether a content access related action is being requested by the subscriber. To this effect, the token validation module 304 may be configured to check the request for the playback URL and determine whether the subscriber is seeking to perform a content access related action or a non-content access related action. If the subscriber is seeking to perform a non-content access related action then 612 is performed, else 616 is performed.

At 612, a shallow check is performed by the token validation module 304, i.e. the token validation module 304 is configured to ascertain whether the subscriber is eligible to perform the non-content access related action based on the subscription claims. More specifically, the token validation module 304 determines whether the permissions included in the set of content access permissions allow the non-content access related action requested by the subscriber 102 or not. If such an action is allowed based on permissions entitled to the subscriber 102, then the token 400 is considered to be validated.

At 614, the subscriber is entitled to perform the non-content access related action and the process flow 600 for content entitlement check ends at 614.

At 616, subsequent to the determination that the subscriber is seeking to perform a content access related action, a deep check is performed, i.e., the token validation module 304 is configured to first determine if individual information pieces integrated in the token are not tampered with. In one illustrative example, individual information pieces such as the token ID, the subscriber metadata and/or individual content access permissions are encoded with parity to facilitate determination of whether the individual information pieces were tampered or not. As part of the deep check, the token validation module 304 is also configured to compare the token ID with entries in the blacklisted token ID database to determine if the token ID is a blacklisted token ID i.e. a token ID barred from accessing content because of potential security risks or for concerns related to unauthorized access. If the individual content pieces in the token are found to be tampered with or if the token ID is determined to be a blacklisted token ID, then the token validation module 304 may be configured to perform a verification of the information accuracy (i.e. confirm the validity of the information) by comparing the information retrieved from the token with the information stored in the entitlement server 174. If the result of the verification is a failure, then the subscriber’s access to content is blocked and an appropriate message is caused to be displayed on the electronic device 104 of the subscriber 102. However, if the individual content pieces in the token are not found to be tampered with and if the token ID is not a blacklisted token ID, then 618 is performed.

At 618, a token verification is performed by the token verification module 306, which may involve checking the request for the content title against the list of permitted actions in the subscription claims embedded in the token to determine whether the subscriber is eligible to view the content requested by the subscriber or not. At 620, it is determined whether token verification is a success or not. If the token verification is a success, then at 622, the user is deemed to be entitled to access the requested content and the process flow 600 ends at 622. If the token verification is a failure, then at 624, the user is deemed to be not eligible to access the requested content and the process flow 600 ends at 624.

Referring back to , once the entitlement check is completed by the token module 210, a CDN is chosen for serving the subscriber 102 with requested content. The CDN may be selected by the playback composite 212 based on the proximity of the CDN PoP to the subscriber 102 within the subscriber’s home/peering network, the health of the CDN PoP, the availability of requested content in the CDN PoP, and the like. The playback composite 212 is further configured to generate the playback URL, based at least in part on the hostname of the chosen CDN PoP. The playback composite 212 is further configured to provide the playback URL to the electronic device 104 of the subscriber 102 in response to the subscriber’s request for the playback URL. More specifically, the communication module 208 (shown in ) of the system 150 may facilitate transmission of the playback URL to the electronic device 104 associated with subscriber 102. Further, as explained with reference to , the electronic device 104 of the subscriber 102 may be configured to use the playback URL to generate an HTTP request for requesting content and transmit the HTTP request along with the token over the ISP network 180 (shown in ). The ISP network 180 may facilitate delivery of the subscriber’s request for content to the chosen CDN and also facilitates fetching of the desired content for the subscriber 102. In other words, the electronic device 104 is configured to fetch the content by from the CDN over a communication network, such as the ISP network 180, using the IP address provided in the playback URL to facilitate display of the content on a display screen of the electronic device 104.

is a sequence flow diagram for illustrating a process flow 700 for performing a content entitlement check for a subscriber 702, in accordance with an embodiment of the invention. The process flow 700 starts at 712.

The subscriber 702 accesses a UI of a mobile/web application associated with the content provider on the electronic device 704 associated with the subscriber 702 and creates a subscriber account. Thereafter, the subscriber 702 provides a login request to log into the subscriber account. The login request is provided to the system 150 for authentication purposes at 712.

At 714, the system 150 utilizes the services of an authentication server (not shown in ) in the pool of servers 170 (also shown in ) to authenticate the login credentials of the subscriber 702 included in the login request. The authentication server may use at least one mode from among a SMS mode, an IVRS mode, a social media mode and an Email mode to authenticate the login credentials of the subscriber 702.

At 716, the system 150 fetches entitlement information from an entitlement server (not shown in ) in the pool of servers 170 subsequent to the successful completion of the authentication. Some examples of the entitlement information fetched from the entitlement server include information related to the subscription type (i.e. regular/premium subscription), subscription status (i.e. active/expired), subscription validity and subscription claims associated with the subscription type of the subscriber 702.

At 718, the system 150 generates a token. In one embodiment, the token may be embodied as a JW Token protected using HMAC.

At 720, the system 150 embeds/integrates the fetched entitlement information related to subscription account of the subscriber 702 in the token.

At 722, the token is provided to the electronic device 704 in response to the successful completion of the subscriber login.

At 724, the electronic device 704 is configured to store the token.

At 726, the subscriber 702 seeking to view content associated with a content title, selects the content title.

At 728, a request for playback URL is sent along with the token to the system 150 from the electronic device 704.

At 730, the system 150 performs a content entitlement check based on the information embedded in the token. As explained with reference to FIGS. 5 and 6, the system 150 may perform an integrity check, a shallow check and/or a deep check and a token verification to complete the content entitlement check. In some embodiments, a partner check may be performed prior to initiating the entitlement check to determine whether the entitlement check has to be performed for the subscriber 702 or not.

At 732, the system 150 generates a playback URL corresponding to a selected CDN PoP chosen for serving the requested content to the subscriber 702.

At 734, the playback URL is provided to the electronic device 704 of the subscriber 702. As explained with reference to FIGS. 1 and 2, the electronic device 704 of the subscriber 702 may use the playback URL to fetch content from the chosen CDN PoP. The process flow 700 ends at 734.

shows a flow diagram of a method 800 for scaling content entitlement checks for a plurality of subscribers, in accordance with an embodiment of the invention. The various steps and/or operations of the flow diagram, and combinations of steps/operations in the flow diagram, may be implemented by, for example, hardware, firmware, a processor, circuitry and/or by a system such as the system 150 explained with reference to to 7 and/or by a different device associated with the execution of software that includes one or more computer program instructions. The method 800 starts at operation 802.

At operation 802 of the method 800, a login request is received by a system, such as the system 150 explained with reference to FIGS. 1 to 7, from an electronic device associated with a subscriber. The login request is provided by the subscriber in relation to a subscription account for accessing media content offered by a content provider.

At operation 804 of the method 800, authentication of login credentials of the subscriber is facilitated by the system based on the login request. More specifically, the system uses the services of an authentication server, such as the authentication server 172 explained with reference to FIGS. 1 to 3, to authenticate the login credentials included in the login request.

At operation 806 of the method 800, subsequent to the successful authentication of the login credentials, a token is generated by the system. The token may be embodied as an JSON Web Token (JWT) protected using hash-based message authentication code (HMAC) to protect the contents of the JWT.

The token is embedded with information including a token identifier (ID), subscriber metadata and at least a part of subscription claims associated with the subscription account. The token ID is configured to include a token identification number, which uniquely identifies the token. The subscriber metadata includes information related to the subscriber, such as the subscriber’s name, email address, and such other personal information of the subscriber. The subscriber metadata also includes information extracted from the subscriber’s login request, such as the type of electronic device (for example, mobile phone, TV or tablet device) used by the subscriber for requesting the login, the type of login method (Email or Web login), type of network access (cellular or Wi-Fi), subscriber location, and the like.

The subscription claims include information related to the content entitlement that the subscriber is eligible for, given the type of subscription of the subscriber. For example, the subscription claims include information related to a type of subscription (whether regular or premium), a current status of the subscription (i.e. whether the subscription is active or not), a validity of the subscription (for example, till what time period the subscription is valid) and a plurality of content access permissions that are associated with the subscriber’s subscription. In an illustrative example, a regular subscription may allow subscribers to access only local/regional content and language dubbed versions of the local/regional content, whereas a premium subscription may allow subscribers to additionally access content sourced from international locations and/or content in English and other foreign languages. Accordingly, the content access permissions may include one or more permissions related to what type of content can be accessed in relation to the subscription type associated with the subscriber’s account. Further, the current location of the subscriber may also determine what content can be accessed by the subscriber. For example, a premium subscriber may not be entitled to view certain types of subscribed content in certain countries and, accordingly, the set of content access permissions may include permissions related to content allowed to be accessed based on location. Furthermore, the subscriber may have subscribed to additional features over and above the subscription associated with the subscriber’s account. For example, the subscriber may have paid for availing additional features, such as ad-free content, game scorecard including rich information, Dolby stereo sound content, 4K resolution content, and the like. Accordingly, the set of content access permissions may include at least one permission related to one or more features that are subscribed by the subscriber in addition to the subscription associated with the subscription account. It is noted that type of information integrated in the token may not be limited to examples explained herein, and, indeed the token may be configured to include a variety of information related to the subscription of the subscriber. In at least one embodiment, the token ID, the subscriber metadata and the subscription claims are subjected to processing in the form of encryption, encoding and/or compression prior to the integration of such information in the token.

At operation 808 of the method 800, the token is provided along with a confirmation of successful account login by the system to the electronic device. The electronic device is configured to store the token.

At operation 810 of the method 800, a request for a playback URL and the token is received from the electronic device associated with the subscriber. The request for the playback URL is received in relation to a selection of a content title displayed on the electronic device.

At operation 812 of the method 800, a content entitlement check is performed by the system based on the information embedded within the token. The content entitlement check is configured to determine an eligibility of the subscriber to access content associated with the content title. The content entitlement check may involve several checks as explained with reference to FIGS. 5 and 6 and are not explained again herein for sake of brevity.

At operation 814 of the method 800, the playback URL is provided to the electronic device by the system in response to the request for the playback URL if the subscriber is deemed to be eligible to access the content based on the successful content entitlement check. In at least one embodiment, the playback URL includes an IP address of a CDN associated with the content provider. The electronic device of the subscriber may be configured to use the playback URL to generate an HTTP request and transmit the HTTP request over the ISP network 180 (shown in ) to request the content. The ISP network may facilitate delivery of the subscriber’s request for content to the chosen CDN and also facilitates fetching of the desired content for the subscriber. In other words, the electronic device is configured to fetch the content from the CDN over a communication network using the IP address provided in the playback URL and displays the content on a display screen of the electronic device.

Various embodiments disclosed herein provide numerous advantages. More specifically, the embodiments disclosed herein suggest techniques for accelerating entitlement checks performed by the OTT streaming content providers for determining whether a subscriber is eligible to access a requested content or not. Further, the techniques disclosed herein enable scaling of content entitlement check for a large number of subscribers. As the delay attributed to OTT platform’s communication with the entitlement server is avoided, the latency in completing subscriber requests for content is substantially reduced, thereby significantly improving an interaction quality experienced by the subscribers.

Although the present invention has been described with reference to specific exemplary embodiments, it is noted that various modifications and changes may be made to these embodiments without departing from the broad spirit and scope of the present invention. For example, the various operations, blocks, etc., described herein may be enabled and operated using hardware circuitry (for example, complementary metal oxide semiconductor (CMOS) based logic circuitry), firmware, software and/or any combination of hardware, firmware, and/or software (for example, embodied in a machine-readable medium). For example, the apparatuses and methods may be embodied using transistors, logic gates, and electrical circuits (for example, application specific integrated circuit (ASIC) circuitry and/or in Digital Signal Processor (DSP) circuitry).

Particularly, the system 150 and its various components such as the processing module 202, the memory module 204, the I/O module 206, and the communication module 208 may be enabled using software and/or using transistors, logic gates, and electrical circuits (for example, integrated circuit circuitry such as ASIC circuitry). Various embodiments of the present invention may include one or more computer programs stored or otherwise embodied on a computer-readable medium, wherein the computer programs are configured to cause a processor or computer to perform one or more operations (for example, operations explained herein with reference to ). A computer-readable medium storing, embodying, or encoded with a computer program, or similar language, may be embodied as a tangible data storage device storing one or more software programs that are configured to cause a processor or computer to perform one or more operations. Such operations may be, for example, any of the steps or operations described herein. In some embodiments, the computer programs may be stored and provided to a computer using any type of non-transitory computer readable media. Non-transitory computer readable media include any type of tangible storage media. Examples of non-transitory computer readable media include magnetic storage media (such as floppy disks, magnetic tapes, hard disk drives, etc.), optical magnetic storage media (e.g., magneto-optical disks), CD-ROM (compact disc read only memory), CD-R (compact disc recordable), CD-R/W (compact disc rewritable), DVD (Digital Versatile Disc), BD (Blu-ray (registered trademark) Disc), and semiconductor memories (such as mask ROM, PROM (programmable ROM), EPROM (erasable PROM), flash ROM, RAM (random access memory), etc.). Additionally, a tangible data storage device may be embodied as one or more volatile memory devices, one or more non-volatile memory devices, and/or a combination of one or more volatile memory devices and non-volatile memory devices. In some embodiments, the computer programs may be provided to a computer using any type of transitory computer readable media. Examples of transitory computer readable media include electric signals, optical signals, and electromagnetic waves. Transitory computer readable media can provide the program to a computer via a wired communication line (e.g., electric wires, and optical fibers) or a wireless communication line.

Various embodiments of the present invention, as discussed above, may be practiced with steps and/or operations in a different order, and/or with hardware elements in configurations, which are different than those which are disclosed. Therefore, although the invention has been described based upon these exemplary embodiments, it is noted that certain modifications, variations, and alternative constructions may be apparent and well within the spirit and scope of the invention.

Although various exemplary embodiments of the present invention are described herein in a language specific to structural features and/or methodological acts, the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as exemplary forms of implementing the claims.

Claims (33)

1. A computer-implemented method for scaling content entitlement checks for a plurality of subscribers, the method comprising:
   receiving, by a system (150), a login request from an electronic device (104) associated with a subscriber (102), the login request provided by the subscriber (102) in relation to a subscription account for accessing media content offered by a content provider;
   facilitating, by the system (150), authentication of login credentials of the subscriber (102) based on the login request;
   generating, by the system (150), a token (400) subsequent to the successful authentication of the login credentials, the token (400) embedded with information comprising a token identifier (ID), subscriber metadata and at least a part of subscription claims associated with the subscription account;
   providing the token along with a confirmation of successful account login to the electronic device (104) by the system (150), wherein the electronic device (104) is configured to store the token (400);
   receiving, by the system (150), a request for a playback Uniform Resource Locator (URL) and the token (400) from the electronic device (104) associated with the subscriber (102), the request for the playback URL received in relation to a selection of a content title displayed on the electronic device (104);
   performing, by the system (150), a content entitlement check based on the information embedded within the token (400), the content entitlement check configured to determine an eligibility of the subscriber (102) to access content associated with the content title; and
   providing the playback URL to the electronic device (104), by the system (150), in response to the request for the playback URL if the subscriber (102) is deemed to be eligible to access the content based on the successful content entitlement check, wherein the playback URL is configured to facilitate display of the content associated with the content title on the electronic device (104).
2. The method as Claimed in Claim 1, wherein the subscription claims comprise information related to a type of a subscription associated with the subscription account, a status of the subscription, a validity date associated with the subscription and a set of content access permissions.
3. The method as Claimed in Claim 2, wherein the set of content access permissions comprises:
   one or more content access permissions that the subscriber (102) is entitled to, based on the type of the subscription, and
   at least one content access permission related to one or more features subscribed by the subscriber (102) in addition to the subscription associated with the subscription account.
4. The method as Claimed in Claim 2, wherein the set of content access permissions is segregated into a critical set of access permissions and a non-critical set of access permissions and, wherein the non-critical set of access permissions is excluded from integration into the token (400) if a size of the token (400) is predicted to exceed a predefined threshold size.
5. The method as Claimed in Claim 2, wherein the content entitlement check comprises:
   performing, by the system (150), an integrity check (308) of the token (400), wherein the integrity check (308) is configured to determine a tamper status of the token (400).
6. The method as Claimed in Claim 5, wherein the content entitlement check further comprises:
   retrieving, by the system (150), the information embedded in the token (400) subsequent to the determination of a negative tamper status during the integrity check (308) of the token (400); and
   performing, by the system (150), a validation check of the information retrieved from the token (400), wherein the validation check comprises determining whether the subscriber (102) is seeking to perform a content access related action or a non-content access related action.
7. The method as Claimed in Claim 6, wherein the validation check further comprises:
   performing a shallow check (310) of the information embedded within the token (400) if the subscriber (102) is seeking to perform the non-content access related action, wherein the shallow check (310) is configured to ascertain whether the subscriber (102) is eligible to perform the non-content access related action based on the subscription claims.
8. The method as Claimed in Claim 6, wherein the validation check further comprises:
   performing a deep check (312) of the information embedded within the token (400) if the subscriber (102) is seeking to perform the content access related action, wherein the deep check (312) is configured to check whether the information is tampered with and whether the token ID is a blacklisted token ID and, wherein the token (400) is deemed to be validated if the information is not tampered with and if the token ID is not the blacklisted token ID.
9. The method as Claimed in Claim 8, wherein the content entitlement check further comprises:
   verifying, by the system (150), the subscriber metadata and determining whether the subscriber (102) is eligible to access the content associated with the content title selected by the subscriber (102) based on the set of content access permissions integrated as part of the information embedded in the token (400).
10. The method as Claimed in Claim 1, wherein the authentication of the login credentials of the subscriber (102) based on the login request is performed by an authentication server in operative communication with the system and, wherein at least a part of information embedded in the token (400) is fetched from an entitlement server in operative communication with the system and, wherein at least one of encryption, encoding and compression is performed on the information prior to embedding the information in the token (400).
11. The method as Claimed in Claim 1, wherein the token (400) is a JSON Web Token (JWT) protected using a hash-based message authentication code (HMAC).
12. The method as Claimed in Claim 1, wherein the playback URL comprises an IP address of a content delivery network (CDN) associated with the content provider and, wherein the content is fetched by the electronic device (104) from the CDN over a communication network using the IP address to facilitate the display of the content on the electronic device (104).
13. A system (150) for scaling content entitlement checks for a plurality of subscribers, the system (150) comprising:
    a memory module (204) for storing instructions; and
    a processing module (202) configured to execute the instructions and thereby cause the system (150) to at least:
    receive a login request from an electronic device (104) associated with a subscriber (102), the login request provided by the subscriber (102) in relation to a subscription account for accessing media content offered by a content provider;
    facilitate authentication login credentials of the subscriber (102) based on the login request;
    generate a token (400) subsequent to the successful authentication of the login credentials, the token (400) embedded with information comprising a token identifier (ID), subscriber metadata and at least a part of subscription claims associated with the subscription account;
    provide the token (400) along with a confirmation of successful account login to the electronic device (104), wherein the electronic device (104) is configured to store the token (400);
    receive a request for a playback Uniform Resource Locator (URL) and the token (400) from the electronic device (104) associated with the subscriber (102), the request for the playback URL received in relation to a selection of a content title displayed on the electronic device (104);
    perform a content entitlement check based on the information embedded within the token (400), the content entitlement check configured to determine an eligibility of the subscriber (102) to access content associated with the content title; and
    provide the playback URL to the electronic device (104), by the system (150), in response to the request for the playback URL if the subscriber (102) is deemed to be eligible to access the content based on the successful content entitlement check, wherein the playback URL is configured to facilitate display of the content associated with the content title on the electronic device (104).
14. The system (150) as Claimed in Claim 13, wherein the subscription claims comprise information related to a type of a subscription associated with the subscription account, a status of the subscription, a validity date associated with the subscription and a set of content access permissions.
15. The system (150) as Claimed in Claim 14, wherein the set of content access permissions comprises:
    one or more content access permissions that the subscriber (102) is entitled to, based on the type of the subscription, and
    at least one content access permission related to one or more features subscribed by the subscriber (102) in addition to the subscription associated with the subscription account.
16. The system (150) as Claimed in Claim 14, wherein the set of content access permissions is segregated into a critical set of access permissions and a non-critical set of access permissions and, wherein the non-critical set of access permissions is excluded from integration into the token (400) if a size of the token (400) is predicted to exceed a predefined threshold size.
17. The system (150) as Claimed in Claim 14, wherein for the content entitlement check, the system (150) is further caused to:
    perform an integrity check (308) of the token (400), wherein the integrity check (308) is configured to determine a tamper status of the token (400).
18. The system (150) as Claimed in Claim 17, wherein for the content entitlement check, the system (150) is further caused to:
    retrieve the information embedded in the token (400) subsequent to the determination of a negative tamper status during the integrity check (308) of the token (400); and
    perform a validation check of the information retrieved from the token (400), wherein the validation check comprises determining whether the subscriber (102) is seeking to perform a content access related action or a non-content access related action.
19. The system (150) as Claimed in Claim 18, wherein for the validation check, the system is further caused to:
    perform a shallow check (310) of the information embedded within the token (400) if the subscriber (102) is seeking to perform the non-content access related action, wherein the shallow check (310) is configured to ascertain whether the subscriber (102) is eligible to perform the non-content access related action based on the subscription claims.
20. The system (150) as Claimed in Claim 18, wherein for the validation check, the system (150) is further caused to:
    perform a deep check (312) of the information embedded within the token (400) if the subscriber (102) is seeking to perform the content access related action, wherein the deep check (312) is configured to check whether the information is tampered with and whether the token ID is a blacklisted token ID and, wherein the token (400) is deemed to be validated if the information is not tampered with and if the token ID is not the blacklisted token ID.
21. The system (150) as Claimed in Claim 20, wherein for the content entitlement check, the system (150) is further caused to:
    verify the subscriber metadata and determine whether the subscriber (102) is eligible to access the content associated with the content title selected by the subscriber (102) based on the set of content access permissions integrated as part of the information embedded in the token (400).
22. The system (150) as Claimed in Claim 13, wherein the authentication of the login credentials of the subscriber (102) based on the login request is performed by an authentication server in operative communication with the system and, wherein at least a part of information embedded in the token (400) is fetched from an entitlement server in operative communication with the system and, wherein at least one of encryption, encoding and compression is performed on the information prior to embedding the information in the token (400).
23. The system (150) as Claimed in Claim 13, wherein the token (400) is a JSON Web Token (JWT) protected using a hash-based message authentication code (HMAC).
24. The system (150) as Claimed in Claim 13, wherein the playback URL comprises an IP address of a content delivery network (CDN) associated with the content provider and, wherein the content is fetched by the electronic device (104) from the CDN over a communication network using the IP address to facilitate the display of the content on the electronic device (104).
25. A computer-implemented method for scaling content entitlement checks for a plurality of subscribers, the method comprising:
    receiving, by a system (150), a request for a playback Uniform Resource Locator (URL) and a token (400) from an electronic device (104) associated with a subscriber (102), the request for the playback URL received in relation to a selection of a content title displayed on the electronic device (104), the token (400) embedded with information comprising a token identifier (ID), subscriber metadata and at least a part of subscription claims associated with a subscription account of the subscriber (102);
    performing, by the system (150), a content entitlement check, the content entitlement check comprising the steps of:
    performing an integrity check (308) of the token (400), wherein the integrity check (308) is configured to determine a tamper status of the token (400),
    retrieving the information embedded in the token (400) subsequent to the determination of a negative tamper status during the integrity check (308) of the token (400),
    performing a validation check of the information retrieved from the token (400) to validate the token (400), and
    determining whether the subscriber (102) is eligible to access content associated with the content title selected by the subscriber (102) based on the information embedded in the token (400); and
    providing the playback URL to the electronic device (104), by the system (150), in response to the request for the playback URL if the subscriber (102) is deemed to be eligible to access the content based on successful content entitlement check, wherein the playback URL is configured to facilitate display of the content associated with the content title on the electronic device (104).
26. The method as Claimed in Claim 25, wherein the subscription claims comprise information related to a type of a subscription associated with the subscription account, a status of the subscription, a validity date associated with the subscription and a set of content access permissions.
27. The method as Claimed in Claim 26, wherein the set of content access permissions comprises:
    one or more content access permissions that the subscriber (102) is entitled to, based on the type of the subscription; and
    at least one content access permission related to one or more features subscribed by the subscriber (102) in addition to the subscription associated with the subscription account.
28. The method as Claimed in Claim 26, wherein the set of content access permissions is segregated into a critical set of access permissions and a non-critical set of access permissions and, wherein the non-critical set of access permissions is excluded from integration into the token (400) if a size of the token (400) is predicted to exceed a predefined threshold size.
29. The method as Claimed in Claim 26, wherein the validation check comprises determining whether the subscriber (102) is seeking to perform a content access related action or a non-content access related action.
30. The method as Claimed in Claim 29, wherein the validation check further comprises:
    performing a shallow check (310) of the information embedded within the token (400) if the subscriber (102) is seeking to perform the non-content access related action, wherein the shallow check (310) is configured to ascertain whether the subscriber (102) is eligible to perform the non-content access related action based on the subscription claims.
31. The method as Claimed in Claim 29, wherein the validation check further comprises:
    performing a deep check (312) of the information embedded within the token (400) if the subscriber (102) is seeking to perform the content access related action, wherein the deep check (312) is configured to check whether the information is tampered with and whether the token ID is a blacklisted token ID and, wherein the token (400) is deemed to be validated if the information is not tampered with and if the token ID is not the blacklisted token ID.
32. The method as Claimed in Claim 25, wherein the authentication of the login credentials of the subscriber (102) based on the login request is performed by an authentication server in operative communication with the system and, wherein at least a part of information embedded in the token (400) is fetched from an entitlement server in operative communication with the system and, wherein at least one of encryption, encoding and compression is performed on the information prior to embedding the information in the token (400).
33. The method as Claimed in Claim 25, wherein the playback back URL comprises an IP address of a content delivery network (CDN) associated with a content provider and, wherein the content is fetched by the electronic device (104) from the CDN over a communication network using the IP address to facilitate the display of the content on the electronic device (104).

Images