Collaboration short tokens #10391
Collaboration short tokens #10391
Conversation
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
|
@jvillafanez I tested it in a test environment with MS365 and MSOO. It works perfectly fine. With this improvement, the online WOPI validator is running also. I could find a small bug in PutRelative. Will issue a new PR. See #10403 |
The "real" access token will be stored using the short token as key. This short token will be sent to the clients to be used as access token for the WOPI server. This is configurable, and requires a store in order to keep the tokens.
MD5 will make the token shorter. The timestamp will help to prevent collisions since the tokens must be generated at the same nanosecond (assuming the md5 sum generates the same hash, which is unlikely). Using MD5 shouldn't be a security issue. The "real" access token is already encrypted, and it's visible and accessible if short tokens aren't used.
jvillafanez
force-pushed
the
collaboration_short_tokens
branch
from
b9c9775 to
d5671f8
Compare
Clarified after re-thinking: @jvillafanez your implementation is correct, the store needs to be persistent to survive a reboot. |
|
@jvillafanez You just can copy/paste the block into the collaboration readme and adapt it slightly to fit. We should also add some content in the readme about the problem of long URL's and its solution. |
jvillafanez
force-pushed
the
collaboration_short_tokens
branch
2 times, most recently
from
d161def to
8221b29
Compare
jvillafanez
force-pushed
the
collaboration_short_tokens
branch
from
8221b29 to
b3f72d7
Compare
|
@jvillafanez I need to insist asking if |
|
Looks good to me. @mmattel if there is no additional typo, you can change the PR to ready to review. |
| Nodes: []string{"127.0.0.1:9233"}, | ||
| Database: "collaboration", | ||
| Table: "", | ||
| TTL: 30 * time.Minute, |
There was a problem hiding this comment.
@jvillafanez How does the WebOffice app refreshes the token?
I am aware of the 30 min, but i never saw a Web Office actually refresh the WOPI token.
There was a problem hiding this comment.
I don't see any info on how the refresh is supposed to work. What I found is in https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/rest/concepts#the-access_token_ttl-property
To prevent data loss for users, Office for the web prompts users to save and refresh their sessions if the access token for their session is close to expiring. In order to do this, Office for the web needs to know when the access token expires, which it determines based on the access_token_ttl value.
So I guess you're expected to close the editor and reopen it (with a fresh token)
| import "time" | ||
|
|
||
| // Store configures the store to use | ||
| type Store struct { |
There was a problem hiding this comment.
These variables should have the introductionVersion 7.0.0.
Co-authored-by: Michael Barz <[email protected]>
|
There is no changelog, I will add one. |
|
Collaboration short tokens
Description
Generate short tokens to be used as access tokens for WOPI.
Currently, the access tokens being used might be too long. In particular, Office Online complains about the URL (which contains the access token) is too long and refuses to work.
A new config option
COLLABORATION_WOPI_SHORTTOKENShas been added in order to overcome that limitation. Note that this option can be used with any WOPI application (Collabora, OnlyOffice, etc)In order to use this option, you must configure a store so OCIS can store the access tokens.
By default, the store will be configured to connect to "127.0.0.1:9233", which is where the nats service should be listening. If you have the collaboration in a different container, you probably want to connect to a different container such as "ocis:9233".
In addition, the TTL is configured to 30 minutes. You can rise the value if needed, but lowering it will likely cause problems because valid tokens will be deleted prematurely.
To sum up, if you enable the
COLLABORATION_WOPI_SHORTTOKENS, make sure eitherOCIS_PERSISTENT_STORE_NODESorCOLLABORATION_STORE_NODESare configured properly to store the tokens.Related Issue
https://github.com/owncloud/enterprise/issues/6790
Motivation and Context
The URL is too long with the access token and we need to make it shorter.
How Has This Been Tested?
Manually tested with Collabora. The access token has around 48 chars.
Screenshots (if appropriate):
Types of changes
Checklist: