Auth Missing Required Parameter document.key (Since 7.1 version)

molloyda · 26 May 2022 15:44

Earlier today I upgraded from a docker image 7.0 (Enterprise) to the latest 7.1 (Enterprise) version.
Upon attempting to edit a document from our bespoke document service, we were now receiving ‘The document security token is not correctly formed. Please contact your document server administrator’.

Looking in the docker logs:
[2022-05-26T15:21:43.284] [ERROR] nodeJS - auth missing required parameter document.key (since 7.1 version): docId = e5d14680-ed29-4df7-b278-2b2d23b414db

This appears to make reference to a new change in 7.1 but I haven’t found any other information about it.

Would it be possible to get some clarity on what is going wrong here and a pointer to some information if possible?

Many thanks,
Dave

Carl · 26 May 2022 17:34

Hello Dave,
Could you please specify the platform you integrate the Document Server with? (Nextcloud, ownCloud, Alfresco etc.)

molloyda · 26 May 2022 18:35

Hi,
Many thanks for coming back to me. I’ve built my own Java based document server that uses OnlyOffice as a docker container for enterprise edition.

We have authentication managed via JWT tokens as per the documentation. However since upgrading to Enterprise 7.1 today we were getting that message in the logs. It seems to suggest that additional information is required in the JWT token now.

If I can learn what that additional information is then we can probably resolve. Perhaps it was an existing property that wasn’t previously required.
Any help would be appreciated.

Many thanks
David

Carl · 26 May 2022 19:35

Thank you for the clarification.
Please check if the editor config that you pass in the token contains document.key.

molloyda · 26 May 2022 20:09

Thanks Carl - I’ll give this a go in the morning. There seems to have been a number of changes around the JWT token in 7.1.

https://api.onlyoffice.com/editors/faq/security

The second question here also describes some changes around JWT tokens.

I think previously the JWT token could largely have an empty payload and as long as it was a signed token then it could be used for validation. Now it seems to require particular properties to be passed.

It might be a good idea to update some other parts of the documentation to reflect this. In some parts of the documentation empty payloads are shown in the sample JWT tokens.

However, there are some good examples here that show the usage of the document key:

https://api.onlyoffice.com/editors/signature/browser#config

It will require some refactoring on how we are currently generating JWT tokens. We were previously providing tokens with no specific payload for authentication only (and then providing a payload) but it seems we will need to combine these.

Will take a look in the morning - will update here again.

Thanks,
David

Carl · 26 May 2022 21:48

Hello David,
Having a token with an empty payload leaves your editor page vulnerable to somebody changing the editor config in an undesired way by interfering with the page code. However, when the editor config is passed in the token payload, changing its parameters will invalidate the JWT and thus the editor will be blocked.

Carl · 27 May 2022 08:29

As a temporary workaround, you can disable the tokenRequiredParams setting in /etc/onlyoffice/documentserver/default.json, but I’d recommend adjusting your JWT generation mechanism to include the parameters listed at
https://api.onlyoffice.com/editors/signature/browser#config

molloyda · 27 May 2022 09:38

Thanks Carl - you’ve been very helpful and are correct. The right approach is to embed the configuration into the JSON token so I’m working through that process now in various places.

All the best,
David