For a limited audience, it is feasible to request credentials (login and password) and challenge them using an external resource, such as a database, LDAP server, or other access-granting service.

1. The SWF supplies the user credentials in the connection request.

   The client provides a token or username/password using client-side ActionScript:

   var sUsername = "someUsername"; 
   var sPassword = "somePassword"; 
    
   nc.connect("rtmp://server/secure1/", sUsername, sPassword);

2. Flash Media Server validates the credentials against a third-party system.

   You can use the following classes to make calls from Server-Side ActionScript to external sources: WebService, LoadVars, XML classes, NetServices (connects to a Flash Remoting gateway). For more information about Flash Remoting, see www.adobe.com/go/learn_fms_flashremoting_en.

   load("NetServices.asc");     // for Flash remoting 
   load("WebServices.asc");     // for SOAP web services 
    
   pendingConnections = new Object(); 
    
   application.onConnect = function( pClient, pUsername, pPassword ) { 
    
       // create a unique ID for the client 
       pClient.FMSid = application.FMSid++; 
    
       // place the client into a pending array 
       pendingConnections[FMSid] = pClient; 
    
       if (pUsername!= undefined && pPassword !=undefined) { 
           // issue the external call (3 examples below) 
           loadVars.send("http://xyz.com/auth.cfm"); 
    
           webService.authenticate(FMSid, pUsername, pPassword); 
    
           netService.authenticate(FMSid, pUsername, pPassword); 
       } 
   } 
   // the result handler (sample only, you will have to customize this) 
   // this command will return a true/false and the FMS client id 
   Authenticate.onResult = { }

3. Flash Media Server accepts or rejects the connection.

   If the credentials are valid, Flash Media Server accepts the connection:

   loadVars.onData = function ( FMSid, pData ) { 
       if (pData) { 
           application.acceptConnection( pendingConnections[FMSid] ); 
           delete pendingConnections[FMSid]; 
       } else { 
           application. rejectConnection ( pendingConnections[FMSid] ); 
       delete pendingConnections[FMSid]; 
       } 
   }

This technique is an alternative to a username/password style of authentication, where the token can be granted based on a property of the client.

The control flow is as follows:

1. The client SWF requests an authentication token from a third party.

2. The third party returns the token to the client.

3. The client sends the token with its connection request.

4. Flash Media Server verifies the token with the third party system.

5. Flash Media Server accepts the connection.