thank you Joel. Your first scenario is definitely something I could do.
I was more envisioning that roku would hit the auth program for a new unique token on every media request. Then the token would be sent with the media request to the CDN where it would be verified in the db, and expire in a minute or less, whatever time it takes to bounce them over to the CDN and get validated there.
So here's how i would propose to do it;
in the xml the media would be listed with the various bitrates as per normal.
but each of those URLs is not the actual media, but the token generator program on our server that takes the filename on the end of the URL request as a variable.
It checks the user's deviceToken to make sure the user is valid, generates a token and inserts into db on the server side,
then returns "Location: http://cdn.url/the_media_file&the_token
then theoretically the roku goes to get the video file there, the CDN takes the_token, runs a request against a program on our side to say "is this token good for this media file?" and depending on the response, serves the media.
then if the roku switches bitrates, the whole process is repeated (new unique token generated for the new media file request).
only people on our app can generate tokens, and only people with tokens can get served the media.
an advantage this way is that we can track every hit in the db via the token generation and subsequent authentication.
will it work? i need to try it tomorrow and find out...