Sign in Subscribe
Compare

Securing FFmpeg Streams with Keycloak Authentication

Andrios Robert

1 min read

FFmpeg is the go-to tool for video transcoding, streaming, and format conversion. Keycloak is an open-source identity and access management system that provides OAuth2, OpenID Connect, and SAML. Integrating FFmpeg with Keycloak means securing media pipelines with robust, centralized authentication and authorization. This setup is essential when streaming private feeds, distributing DRM-protected content, or enforcing access control for internal tools.

To make FFmpeg work with Keycloak, you must bridge streaming transport with token validation. Keycloak issues JWTs through an OAuth2 or OIDC client. FFmpeg must present these tokens to the server handling the media. If you run RTMP, HLS, or DASH, your streaming server—such as NGINX with the RTMP module or an HTTP server—should verify the Keycloak token before serving chunks or accepting pushes. Without this, any user with the endpoint can stream, bypassing authentication.

The workflow is consistent:

  1. Configure a Keycloak realm.
  2. Create a client for the streaming application.
  3. Set client access type to confidential if you need server-to-server token exchanges.
  4. Use FFmpeg’s -headers flag to include the Authorization: Bearer <token> header in requests or pushes.
  5. On the receiving server, implement middleware to validate the token against Keycloak’s public keys (JWKS endpoint).

For example:

TOKEN=$(curl -s \
 -d "client_id=stream-client"\
 -d "client_secret=SECRET"\
 -d "grant_type=client_credentials"\
 "https://keycloak.example.com/realms/yourrealm/protocol/openid-connect/token"\
 | jq -r .access_token)

ffmpeg -i input.mp4 \
 -c copy \
 -f flv \
 -headers "Authorization: Bearer $TOKEN"\
 rtmp://stream.example.com/live/streamkey

This approach keeps FFmpeg sessions authenticated at the network layer. The Keycloak configuration defines token lifetime, scopes, and user roles, which the ingest or playback server enforces. You can apply fine-grained rules—restricting streams to specific users or teams—without touching FFmpeg’s codebase.

To ensure reliability, handle token refresh. Long-running streams can outlive the token’s expiration window. Scripts or wrapper processes around FFmpeg can request new tokens from Keycloak mid-stream and restart or reattach sessions without downtime. For highly concurrent traffic, pre-issue tokens in batches, and monitor Keycloak’s availability and latency under load.

Securing your FFmpeg deployment with Keycloak gives you traceable, auditable control over streaming. You get a clean separation of video pipeline and identity logic, and you reduce the attack surface of your streaming endpoints.

See this integrated and running on hoop.dev. Deploy, hook up FFmpeg to Keycloak, and stream with secure auth in minutes.

Sign up for more like this.

Enter your email
Subscribe