Signature

ONLYOFFICE Document Server uses tokens generated using the JSON Web Tokens standard.

This feature is used in Document Server starting with version 4.2

For the validation setup it is necessary to edit the secret key and token parameters in the configuration file which can be found (or created) at the following path:

For Linux - /etc/onlyoffice/documentserver/local.json.

For Windows - %ProgramFiles%\ONLYOFFICE\DocumentServer\config\local.json.

The default values are available in the default.json configuration file, which is available in the folders above (for Linux and Windows). Please do not edit the contents of the default.json file directly. The default values will be restored each time you restart Docker container or upgrade Document Server to a new version and all your changes will be lost.

Restart the services for the config changes to take effect:

  1. supervisorctl restart all

Parameters

ParameterDescriptionTypeExample
services.CoAuthoring.secret.browser.stringDefines the secret key to generate a token in the client-side browser requests to ONLYOFFICE Docs.stringsecret
services.CoAuthoring.secret.inbox.stringDefines the secret key to generate a token in the incoming HTTP requests with the commands from the document storage service to the document command service, document conversion service and document builder service.stringsecret
services.CoAuthoring.secret.outbox.stringDefines the secret key to generate a token in the outgoing HTTP requests to the callbackUrl address by document editing service.stringsecret
services.CoAuthoring.token.enable.browserDefines if a token in the client-side browser requests is enabled or not.booleanfalse
services.CoAuthoring.token.enable.request.inboxDefines if a token in the incoming HTTP requests is enabled or not.booleanfalse
services.CoAuthoring.token.enable.request.outboxDefines if a token in the outgoing HTTP requests is enabled or not.booleanfalse

Sample local.json configuration

  1. {
  2.     "services": {
  3.         "CoAuthoring": {
  4.             "secret": {
  5.                 "browser": {
  6.                     "string": "secret"
  7.                 },
  8.                 "inbox": {
  9.                     "string": "secret"
  10.                 },
  11.                 "outbox": {
  12.                     "string": "secret"
  13.                 },
  14.             },
  15.             "token": {
  16.                 "enable": {
  17.                     "browser": true,
  18.                     "request": {
  19.                         "inbox": true,
  20.                         "outbox": true
  21.                     }
  22.                 }
  23.             }
  24.         }
  25.     }
  26. }

Code samples for signature generation

Below you can find examples of signature generation for init config and requests. They are taken from test samples in different programming languages. We advise you to use this code in your projects to generate signatures.

  • C#
  • Java
  • Node.js
  • PHP
  • Python
  • Ruby
  • Go
  1. public static class JwtManager
  2. {
  3.     private static readonly string Secret;
  4.     public static readonly bool Enabled;
  6.     static JwtManager()
  7.     {
  8.         Secret = WebConfigurationManager.AppSettings["files.docservice.secret"] ?? "";
  9.         Enabled = !string.IsNullOrEmpty(Secret);
  10.     }
  12.     public static string Encode(IDictionary<string, object> payload)
  13.     {
  14.         var encoder = new JwtEncoder(new HMACSHA256Algorithm(),
  15.                                         new JsonNetSerializer(),
  16.                                         new JwtBase64UrlEncoder());
  17.         return encoder.Encode(payload, Secret);
  18.     }
  19. }
  1. public static String CreateToken(Map payloadClaims)
  2. {
  3.     try
  4.     {
  5.         String secret = ConfigManager.GetProperty("files.docservice.secret");
  6.         Signer signer = HMACSigner.newSHA256Signer(secret);
  7.         JWT jwt = new JWT();
  8.         for (String key : payloadClaims.keySet())
  9.         {
  10.             jwt.addClaim(key, payloadClaims.get(key));
  11.         }
  12.         return JWT.getEncoder().encode(jwt, signer);
  13.     }
  14.     catch (Exception e)
  15.     {
  16.         return "";
  17.     }
  18. }
  1. var configServer = require('config').get('server');
  2. var cfgSignatureSecretExpiresIn = configServer.get('token.expiresIn');
  3. var cfgSignatureSecret = configServer.get('token.secret');
  4. var cfgSignatureSecretAlgorithmRequest = configServer.get('token.algorithmRequest');
  6. documentService.getToken = function (data) {
  7.     var options = {algorithm: cfgSignatureSecretAlgorithmRequest, expiresIn: cfgSignatureSecretExpiresIn};
  8.     return jwt.sign(data, cfgSignatureSecret, options);
  9. };
  1. function jwtEncode($payload) {
  2.     return \Firebase\JWT\JWT::encode($payload, $GLOBALS["DOC_SERV_JWT_SECRET"]);
  3. }
  1. def encode(payload):
  2.     return jwt.encode(payload, config.DOC_SERV_JWT_SECRET, algorithm='HS256')
  1. @jwt_secret = Rails.configuration.jwtSecret
  3. class << self
  4.     def encode(payload)
  5.         return JWT.encode payload, @jwt_secret, 'HS256'
  6.     end
  7. end
  1. type onlyofficeJwtManager struct {
  2.     key []byte
  3. }
  5. func (j onlyofficeJwtManager) Sign(payload interface {
  6.     Valid() error
  7. }) (string, error) {
  8.     token := jwt.NewWithClaims(jwt.SigningMethodHS256, payload)
  9.     ss, err := token.SignedString(j.key)
  11.     if err != nil {
  12.         return "", errors.New("could not generate a new jwt")
  13.     }
  15.     return ss, nil
  16. }