The document security token is not correctly formed in docker

Docs API
1

Hello everyone,

My English is not very good, and this is my first time posting on the forum. I want to deploy OnlyOffice/DocumentServer using Docker. Here is the command I used:

docker run -d -p 8808:80 -e JWT_SECRET=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7ImMiOiJpbmZvIiwia2V5IjoiS2hpcno2elRQZGZkNyJ9fQ.hGQ8kquQWpg4MQYiSYaIzik0wotP1coAop6QfLruenA --name onlyoffice_documentserver onlyoffice/documentserver`

And here is my HTML code:


<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
 
<body>
<div id="placeholder"></div>
<script type="text/javascript" src="http://192.168.31.158:8808/web-apps/apps/api/documents/api.js"></script>
<script>
 
    var docEditor = new DocsAPI.DocEditor("placeholder", {
        "document": {
            "fileType": "docx",
            "permissions": {
                "edit": false,
            },
            "key": "Khirz6zTPdfd7",
            "title": "zf.docx",
            "url": "file:///C:/Users/MySNN/Desktop/test.docx"
        },
        "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7ImMiOiJpbmZvIiwia2V5IjoiS2hpcno2elRQZGZkNyJ9fQ.hGQ8kquQWpg4MQYiSYaIzik0wotP1coAop6QfLruenA",
        "height": "1000px",
        "width": "100%"
    })
 
</script>
</body>
</html>

When I run this code in the browser, I get an error saying, “The document security token is not correctly formed.” I understand that this is related to the JWT token, but after checking the relevant documentation, I don’t understand why I’m still encountering this issue even though I’ve added the JWT_SECRET parameter in the Docker startup command and included the token and key in the HTML code.

Thank you.

2

Hello @ChiMu

Please note that the token parameter sent in the config is not the same thing as a secret of the JWT. Please visit an official JSON Web Token page to learn more about it in general.

As for the usage of JWT on Document Server side check out these articles:
https://api.onlyoffice.com/editors/signature/
https://api.onlyoffice.com/editors/security

If you struggle with making it work, you can alternatively disable JWT. More about how to configure JWT on Document Server side you can find here:
https://helpcenter.onlyoffice.com/installation/docs-configure-jwt.aspx

1 Like
3

Hi! I also have problems with this topic.

I don’t understand how to get JWT_TOKEN using jwt.io website. Which is the correct payload data? by default I putted this

having my JWT_SECRET as MY_SECRET_KEY

{
  "alg": "HS256",
  "typ": "JWT"
}

{
  "sub": "1234567890",
  "name": "myname",
  "iat": 1816239022
}

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  
MY_SECRET_KEY

) secret base64 encoded

The faked output is

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Im15bmFtZSIsImlhdCI6MTgxNjIzOTAyMn0.T9-0QYuhPQgNfwsHGcahA_iqDDmA3iXqc9yZ4SdFHss

I have onlyofficeds server inside docker and run using docker-compose. I tried to define my own JWT_SECRET and also leave variable undefined to let onlyoffice define the JWT_SECRET

      # Uncomment strings below to enable the JSON Web Token validation.
      - JWT_ENABLED=true
      #- JWT_SECRET=MY_SECRET_KEY
      - JWT_HEADER=Authorization
      - JWT_IN_BODY=true

To see the jwt_secret I look in /etc/onlyoffice/documentserver/local.json

root@afe9fc05a468:/etc/onlyoffice/documentserver# cat local.json 
{
  "services": {
    "CoAuthoring": {
      "sql": {
        "type": "postgres",
        "dbHost": "onlyoffice-postgresql",
        "dbPort": "5432",
        "dbName": "onlyoffice",
        "dbUser": "onlyoffice",
        "dbPass": "onlyoffice"
      },
      "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "Authorization",
          "inBody": true
        },
        "outbox": {
          "header": "Authorization",
          "inBody": true
        }
      },
      "secret": {
        "inbox": {
          "string": "MY_SECRET_KEY"
        },
        "outbox": {
          "string": "MY_SECRET_KEY"
        },
        "session": {
          "string": "MY_SECRET_KEY"
        }
      }
    }
  },
  "rabbitmq": {
    "url": "amqp://guest:guest@onlyoffice-rabbitmq"
  },
  "queue": {
    "type": "rabbitmq"
  },
  "storage": {
    "fs": {
      "secretString": "ANOTHER_SECRET_KEY"
    }
  }
}

Then if I use MY_SCRET_KEY in nextcloud everything goes ok, but if I try to use the api I get the message The document security token is not correctly formed.

I use this code to connect to my onlyoffice through my application (is a test only)

<html>
<head>

</head>
<body>
    <div id="placeholder"></div>

    <script type="text/javascript" src="https://onlyofficeds.mydomain.net/web-apps/apps/api/documents/api.js"></script>

        <script type="text/javascript">
            new DocsAPI.DocEditor("placeholder", {
                "document": {
                    "fileType": "docx",
                    "key": "MY_SECRET_KEY",
                    "title": "Example Document Title.docx",
                    "url": "https://d2nlctn12v279m.cloudfront.net/assets/docs/samples/demo.docx"
                },
                "documentType": "word",
                "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Im15bmFtZSIsImlhdCI6MTgxNjIzOTAyMn0.T9-0QYuhPQgNfwsHGcahA_iqDDmA3iXqc9yZ4SdFHss"
            });
        </script>

</body>
</html>

Also I found this link ONLYOFFICE Api Documentation - Basic concepts but the generated code still not works, I used python to generate the TOKEN.

import base64
import hashlib
import hmac

from datetime import datetime, date, time

def create_auth_token(pkey, machine_key):

    machine_key = bytes(machine_key, 'UTF-8')
    now = datetime.strftime(datetime.utcnow(), "%Y%m%d%H%M%S")

    message = bytes('{0}\n{1}'.format(now, pkey), 'UTF-8')

    _hmac = hmac.new(machine_key, message, hashlib.sha1)
        
    signature = str(base64.urlsafe_b64encode(_hmac.digest()), 'UTF-8')
    signature = signature.replace('-', '+')
    signature = signature.replace('_', '/')
    token = 'ASC {0}:{1}:{2}'.format(pkey, now, signature)

    return token

What I’m doing wrong?

Thanks you much

4

I’m working in django and in backend I have these two functions

@login_required
def file_view(request, item, value):
    nav = {'menu': 'view'}

    # https://api.onlyoffice.com/docspace/apisystem/authentication
    _key = "MY_SECRET_KEY"
    _token = create_auth_token("1234567890", _key)

    return render(request, 'web/view_document.html', {'nav': nav, 'key': _key, 'token': _token})


def create_auth_token(pkey, machine_key):
    import base64
    import hashlib
    import hmac

    from datetime import datetime, date, time

    machine_key = bytes(machine_key, 'UTF-8')
    now = datetime.strftime(datetime.utcnow(), "%Y%m%d%H%M%S")

    message = bytes('{0}\n{1}'.format(now, pkey), 'UTF-8')

    _hmac = hmac.new(machine_key, message, hashlib.sha1)

    signature = str(base64.urlsafe_b64encode(_hmac.digest()), 'UTF-8')
    signature = signature.replace('-', '+')
    signature = signature.replace('_', '/')
    token = 'ASC {0}:{1}:{2}'.format(pkey, now, signature)

    return token

And in frontend I have this code

<html>
<head>

</head>
<body>
    <div id="placeholder"></div>

    <script type="text/javascript" src="https://onlyofficeds.capa8.net/web-apps/apps/api/documents/api.js"></script>

        <script type="text/javascript">
            new DocsAPI.DocEditor("placeholder", {
                "document": {
                    "fileType": "docx",
                    "key": "{{ key }}",
                    "title": "Example Document Title.docx",
                    "url": "https://d2nlctn12v279m.cloudfront.net/assets/docs/samples/demo.docx"
                },
                "documentType": "word",
                "token": "{{ token }}"
            });
        </script>

</body>
</html>
5

Hello @blackhold

First of all, As I can see you have pasted value of your JWT secret into the initialization config under key parameter:

Please note that document.key is not the same as JWT secret. Basically, JWT secret used to encrypt the data when JWT Token authentication is enabled and plays main role in request encryption, whilst document.key is used by Document Server to identify documents. The document.key must be unique for every document.

Second, the error mainly states that you did not form JWT token correctly:
https://api.onlyoffice.com/editors/troubleshooting#token
In your code, token parameter when decrypted has next data:

{
  "sub": "1234567890",
  "name": "myname",
  "iat": 1816239022
}

You can check it here: https://jwt.io/

Please refer to initialization config documentation to see an example of complete config:
https://api.onlyoffice.com/editors/advanced

If you still having problem using JWT Token, then you can also install document storage example on specific language that corresponds to the language of your application to check how it works there:
https://api.onlyoffice.com/editors/demopreview