What is JWT and how this technology protects your documents

Originally published at: https://www.onlyoffice.com/blog/2022/05/what-is-jwt-and-how-this-technology-protects-your-documents/

There are ways to protect files actively – using encryption, watermarks, restrictive access permissions. But document security doesn’t end there. Today, we will tell you about JWT,an important access protection agent that always works on the background an ensures that only authorized users get to edit your files.

What is JWT

JSON Web Token (JWT, pronounced as /dʒɒt/) is an open standard for secure online information exchange used mainly for two purposes – authorization and data transfer.

A compact JSON object contains the authentication information and provides the ability to verify legitimate users of the service, when applied in web applications. In a nutshell, it helps the application confirm that the sender of the information is who they claim they are.

JWT is a self-contained object in a form of a string that consists of thee parts: header, payload, and signature. Header contains the information about the token and how the signature is generated, payload contains the claims about the user necessary to grant them permission for access, and signature validates the user.

The token can be signed with a secret key that helps validate the origin of transferred data.

How ONLYOFFICE uses security tokens

In ONLYOFFICE, JWT secures data stream between the editor and the user. It helps verify users who enter the editing sessions in Docs and attempt to perform certain actions in documents.
For each HTTP request from and to ONLYOFFICE Document server, a token is generated and added to the parameters.

Here, different JWTs are generated for different user actions. While the tokens are signed with the same secret in each case, the information that helps authorize the input differs. For example, a separate token is created for opening the editor, for inserting an image into the file, for opening document version history, etc.

For instance, to add a PNG image to the file hosted on www.example.com, the following parameters will be included in the token:

{
"fileType": "png",
"url": "https://example.com/url-to-example-image.png"
}

And this is how the sample token will look like:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmaWxlVHlwZSI6InBuZyIsInVybCI6Imh0dHBzOi8vZXhhbXBsZS5jb20vdXJsLXRvLWV4YW1wbGUtaW1hZ2UucG5nIn0.FXuC3GUvPq3japwyzo4i-utUe3g1rfSDt1ytuK_VyCc

To sign the JWT, a custom secret is used in each sharing service where ONLYOFFICE Docs is integrated.

Where to retrieve the secret key

In previous versions of ONLYOFFICE Docs, there was no JWT secret included by default — it had to be generated by an administrator of the host service (i.e. Nextcloud) and submitted to ONLYOFFICE Document Server manually via settings.

Starting from version 7.1, a random secret is automatically generated and just needs to be added on the side of the host application.

Where is JWT available?

JWT is supported in almost all of the official ONLYOFFICE integration apps:

• Nextcloud
• ownCloud
• Alfresco
• Moodle
• Mattermost
• Chamilo
• HumHub
• Confluence
• Plone
• Strapi
• Liferay
• Jira
• Nuxeo
• Redmine

You can browse all available integrations on our website and find token configuration guides on the corresponding GitHub pages.

If you want to create an ONLYOFFICE integration app for your own app, it is possible to add support for the security tokens using our API guidelines.