Onlyoffice Secret Key Issue

Onlyoffice App works fine inside Nextcloud until I specify a secret inside local.json and then enter it inside the app. I get the following error
Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.)

If I enter the incorrect secret I get
Error when trying to connect (Error occurred in the document service: Invalid token)
ONLYOFFICE

Both server are https secured and using proper certs again everything works fine until I try to secure before exposing to the outside.

[details]

Nextcloud version : 16.0.3
Operating system and version : Centos 7
Apache or nginx version: Apache/2.4.6
PHP version (eg, 7.1): PHP 7.2.17

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Install document server on Ubuntu 18.04 or 19 (tried both) using these directions https://helpcenter.onlyoffice.com/server/linux/document/linux-installation.aspx

  2. Secure the server with ssl

  3. Enable secret in local.json and specify secret

4.Enter into onlyoffice app inside nextcloud.

The output of your Nextcloud log in Admin > Logging:

Error	onlyoffice	CommandRequest on check error: Error occurred in the document service: Invalid token	
2019-07-11T11:25:52-0500
Error	onlyoffice	GetConvertedUri on check error: Error occurred in the document service: Error while downloading the document file to be converted.	
2019-07-11T11:25:46-0500
Fatal	onlyoffice	Download empty without jwt	
2019-07-11T11:25:45-0500
Fatal	onlyoffice	Download empty without jwt	
2019-07-11T11:25:44-0500
Fatal	onlyoffice	Download empty without jwt	
2019-07-11T11:25:43-0500
Error	onlyoffice	GetConvertedUri on check error: Error occurred in the document service: Error while downloading the document file to be converted.	
2019-07-11T11:25:10-0500
Fatal	onlyoffice	Download empty without jwt	
2019-07-11T11:25:08-0500
Fatal	onlyoffice	Download empty without jwt	
2019-07-11T11:25:07-0500
Fatal	onlyoffice	Download empty without jwt
1 Like

I’m running Document Server on Debian 9. When I updated OnlyOffice from 5.2 to 5.3, it seemed like several of the paths changed, so the local.json I was updating wasn’t the one Document Server was using any more. I don’t remember the old path, but on 5.3 the path that works for me is /etc/onlyoffice/documentserver/local.json.

Inside this file, I had to set the same secret in three places: inbox, outbox, and session. I also had to change three booleans from false to true. In the JSON they are roughly in vicinity of:

  • token > enable > request > inbox = true
  • token > enable > request > outbox = true
  • token > enable > browser = true

Until I changed these three booleans, the OnlyOffice app in NextCloud only worked when I didn’t set the secret. After I changed all three of these, the secret was required to connect to Document Server.

Thanks for the tips, It seems that is what I did and it still doesn’t work. Do you have anything in config.php on nextcloud?

My local.json is attached same location as you mentioned /etc/onlyoffice/documentserver/local.json

when I enter the secret as test I get the error and if I set the values to false in local.json and remove the secret from app it connects fine. So weird, the same thing on 2 separate installs of document server. Thanks for all the help I am really stuck st this point

I don’t have anything in my config.php for Nextcloud that’s related to OnlyOffice. My local.json looks basically the same as yours. My secret is longer, but I don’t think that would make any difference.

What happens if you leave the secret key blank in Nextcloud, after you set the secret in OnlyOffice? If it works in Nextcloud, you’ll know that OnlyOffice isn’t using the key you’ve set.

I assume you know that you have to restart the OnlyOffice Document Server, after you modify the local.json file. On my Debian 9 system, I have to run service supervisor restart.

Yes I did restart the services. If I enter the wrong secret it throws an error that’s about invalid token.
Thanks for all your suggestions

How does your ds.conf file look ?

Anyone have any good installation instructions?

I have exactly the same problem @techman2005 have toi fine a solution now ?

Hi, I have a different error message

I just started Onlyoffice with:

https://nichteinschalten.de/nextcloud-mit-onlyoffice-integration/

And like the guy said, It is shocking that no one in any tutorial talks about security.
The Secret Option and the IP Access is not even mentioned somewhere.

My json looks like this (docker):

{
    "statsd": {
            "useMetrics": false,
            "host": "localhost",
            "port": "8125",
            "prefix": "ds."
    },
    "log": {
            "filePath": "",
            "options": {
                    "replaceConsole": true
            }
    },
    "queue": {
            "type": "rabbitmq",
            "visibilityTimeout": 300,
            "retentionPeriod": 900
    },
    "storage": {
            "name": "storage-fs",
            "fs": {
                    "folderPath": "",
                    "urlExpires": 900,
                    "secretString": "verysecretstring"
            },
            "region": "",
            "endpoint": "http://localhost/s3",
            "bucketName": "cache",
            "storageFolderName": "files",
            "urlExpires": 604800,
            "accessKeyId": "AKID",
            "secretAccessKey": "SECRET",
            "useRequestToGetUrl": false,
            "useSignedUrl": false,
            "externalHost": ""
    },
    "rabbitmq": {
            "url": "amqp://guest:guest@localhost:5672",
            "socketOptions": {},
            "exchangepubsub": "ds.pubsub",
            "queueconverttask": "ds.converttask",
            "queueconvertresponse": "ds.convertresponse",
            "exchangeconvertdead": "ds.exchangeconvertdead",
            "queueconvertdead": "ds.convertdead",
            "queuedelayed": "ds.delayed"
    },
    "activemq": {
            "connectOptions": {
                    "port": 5672,
                    "host": "localhost",
                    "name": "admin",
                    "reconnect": false
            },
            "queueconverttask": "ds.converttask",
            "queueconvertresponse": "ds.convertresponse",
            "queueconvertdead": "ActiveMQ.DLQ",
            "queuedelayed": "ds.delayed",
            "topicpubsub": "ds.pubsub"
    },
    "dnscache": {
            "enable" : true,
            "ttl" : 300,
            "cachesize" : 1000
    },
    "services": {
            "CoAuthoring": {
                    "server": {
                            "port": 8000,
                            "workerpercpu": 1,
                            "mode": "development",
                            "limits_tempfile_upload": 104857600,
                            "limits_image_size": 26214400,
                            "limits_image_download_timeout": {
                                    "connectionAndInactivity": "10s",
                                    "wholeCycle": "2m"
                            },
                            "callbackRequestTimeout": {
                                    "wholeCycle": "2m"
                            },
                            "healthcheckfilepath": "../public/healthcheck.docx",
                            "savetimeoutdelay": 5000,
                            "edit_singleton": false,
                            "forgottenfiles": "forgotten",
                            "forgottenfilesname": "output",
                            "maxRequestChanges": 20000,
                            "openProtectedFile": true,
                            "editorDataStorage": "editorDataMemory"
                    },
                    "requestDefaults": {
                            "headers": {
                                    "User-Agent": "Node.js/6.13"
                            },
                            "rejectUnauthorized": true
                    },
                    "autoAssembly": {
                            "enable": false,
                            "interval": "5m",
                            "step": "1m"
                    },
                    "utils": {
                            "utils_common_fontdir": "null",
                            "utils_fonts_search_patterns": "*.ttf;*.ttc;*.otf",
                            "resource_expires": 31536000,
                            "limits_image_types_upload": "jpg;png;gif;bmp"
                    },
                    "sql": {
                            "type": "postgres",
                            "tableChanges": "doc_changes",
                            "tableResult": "task_result",
                            "dbHost": "localhost",
                            "dbPort": 5432,
                            "dbName": "onlyoffice",
                            "dbUser": "onlyoffice",
                            "dbPass": "onlyoffice",
                            "charset": "utf8",
                            "connectionlimit": 10,
                            "max_allowed_packet": 1048575
                    },
                    "redis": {
                            "name": "redis",
                            "prefix": "ds:",
                            "host": "localhost",
                            "port": 6379,
                            "options": {}
                    },
                    "pubsub": {
                            "maxChanges": 1000
                    },
                    "expire": {
                            "saveLock": 60,
                            "presence": 300,
                            "locks": 604800,
                            "changeindex": 86400,
                            "lockDoc": 30,
                            "message": 86400,
                            "lastsave": 604800,
                            "forcesave": 604800,
                            "saved": 3600,
                            "documentsCron": "0 */2 * * * *",
                            "files": 86400,
                            "filesCron": "00 00 */1 * * *",
                            "filesremovedatonce": 100,
                            "sessionidle": "0",
                            "sessionabsolute": "30d",
                            "sessionclosecommand": "2m",
                            "pemStdTTL": "1h",
                            "pemCheckPeriod": "10m",
                            "updateVersionStatus": "5m"
                    },
                    "ipfilter": {
                            "rules": [{"address": "*", "allowed": true}],
                            "useforrequest": false,
                            "errorcode": 403
                    },
                    "secret": {
                            "browser": {"string": "test", "file": "", "tenants": {}},
                            "inbox": {"string": "test", "file": "", "tenants": {}},
                            "outbox": {"string": "test", "file": ""},
                            "session": {"string": "test", "file": ""}
                    },
                    "token": {
                            "enable": {
                                    "browser": true,
                                    "request": {
                                            "inbox": true,
                                            "outbox": true
                                    }
                            },
                            "browser": {
                                    "secretFromInbox": true
                            },
                            "inbox": {
                                    "header": "Authorization",
                                    "prefix": "Bearer ",
                                    "inBody": false
                            },
                            "outbox": {
                                    "header": "Authorization",
                                    "prefix": "Bearer ",
                                    "algorithm": "HS256",
                                    "expires": "5m",
                                    "inBody": false
                            },
                            "session": {
                                    "algorithm": "HS256",
                                    "expires": "30d"
                            }
                    },
                    "plugins": {
                            "uri": "/sdkjs-plugins",
                            "autostart": []
                    },
                    "editor":{
                            "spellcheckerUrl": "/spellchecker",
                            "reconnection":{
                                    "attempts": 50,
                                    "delay": "2s"
                            },
                            "websocketMaxPayloadSize": "1.5MB"
                    },
                    "sockjs": {
                            "sockjs_url": "",
                            "websocket": true
                    },
                    "callbackBackoffOptions": {
                            "retries": 0,
                            "timeout":{
                                    "factor": 2,
                                    "minTimeout": 1000,
                                    "maxTimeout": 2147483647,
                                    "randomize": false
                            },
                            "httpStatus": "429,500-599"
                    }
            }
    },
    "license" : {
            "license_file": "",
            "warning_limit_percents": 70,
            "packageType": 0
    },
    "FileConverter": {
            "converter": {
                    "maxDownloadBytes": 104857600,
                    "downloadTimeout": {
                            "connectionAndInactivity": "10s",
                            "wholeCycle": "2m"
                    },
                    "downloadAttemptMaxCount": 3,
                    "downloadAttemptDelay": 1000,
                    "maxprocesscount": 1,
                    "fontDir": "null",
                    "presentationThemesDir": "null",
                    "x2tPath": "null",
                    "docbuilderPath": "null",
                    "docbuilderAllFontsPath": "null",
                    "args": "",
                    "spawnOptions": {},
                    "errorfiles": "",
                    "streamWriterBufferSize": 8388608,
                    "maxRedeliveredCount": 2,
                    "inputLimits": [
                            {
                            "type": "docx;dotx;docm;dotm",
                            "zip": {
                                    "uncompressed": "50MB",
                                    "template": "*.xml"
                            }
                            },
                            {
                            "type": "xlsx;xltx;xlsm;xltm",
                            "zip": {
                                    "uncompressed": "300MB",
                                    "template": "*.xml"
                            }
                            },
                            {
                            "type": "pptx;ppsx;potx;pptm;ppsm;potm",
                            "zip": {
                                    "uncompressed": "50MB",
                                    "template": "*.xml"
                            }
                            }
                    ]
            }
    },
    "FileStorage": {
            "host": "",
            "port": 4567,
            "directory": "",
            "silent": true
    },
    "SpellChecker": {
            "server": {
                    "port": 8080,
                    "mode": "development"
            }
    }

}

Oh he also said:

Mögliche Probleme

Seit dem letzten Onlyoffice Docker Update kommt standardmäßig der Error:

Error: Error response: statusCode:403 ;body:
{„message“:“Access denied“}

Das liegt anscheinend daran, dass das Secret nicht sauber nach oder von Nextcloud übermittelt wird. Ich habe schon einiges probiert, aber nichts klappt. Daher secret komplett deaktivieren und nur mit IP-Adressfilter arbeiten – siehe oben.

So in english:
Use IP Filter , because the secret is not going to be transmitted properly to nextcloud or from nextcloud.

Hello !
I had the same issue and solved it.
In my local.json (/etc/onlyoffice/documentserver), it was written AuthorizationJwt instead of Authorization

    "inbox": {
      "header": "Authorization"
    },
    "outbox": {
      "header": "Authorization"
    }

So I had to write my secret key in this local.json and also default.json like this

                       "secret": {
                                "browser": {"string": "MYSECRETKEY", "file": "", "tenants": {}},
                                "inbox": {"string": "MYSECRETKEY", "file": "", "tenants": {}},
                                "outbox": {"string": "MYSECRETKEY", "file": ""},
                                "session": {"string": "MYSECRETKEY", "file": ""}
                        },
                        "token": {
                                "enable": {
                                        "browser": true,
                                        "request": {
                                                "inbox": true,
                                                "outbox": true
                                        }
                                },
                                "browser": {
                                        "secretFromInbox": true
                                },
                                "inbox": {
                                        "header": "Authorization",
                                        "prefix": "Bearer ",
                                        "inBody": true
                                },
                                "outbox": {
                                        "header": "Authorization",
                                        "prefix": "Bearer ",
                                        "algorithm": "HS256",
                                        "expires": "5m",
                                        "inBody": true
                                },
                                "session": {
                                        "algorithm": "HS256",
                                        "expires": "30d"
                                }
                        },

Then supervisorctl restart all
i hope it will help you !

2 Likes

oh thanks man!

In my case to make secret key work I had to use other than “Authorization” header names.

Excerpt from: /var/www/nextcloud/config/config.php

    'onlyoffice' => array (
          'verify_peer_off' => true,
          'jwt_header' => 'XOCAuth',
    )

Excerpt from: /etc/onlyoffice/documentserver/local.json

    "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "XOCAuth",
          "prefix": "Bearer ",
          "inBody": false
        },
        "outbox": {
          "header": "XOCAuth",
          "prefix": "Bearer ",
          "inBody": false
        }
      }

and

supervisorctl restart all
1 Like

Thank you so much, that was the solution for me as well.

I’ve found out that the discord app and the onlyoffice-documentserver are not configured properly out of the box with this, which was really, like really hard to find. The solution is basically the same, just with different header names. IDK why they have it like that when they know it’s not working…

Please mark something as solution so people can find it easily.

Solution for docker

  1. In docker-compose.yml change the line - JWT_HEADER=Authorization to - JWT_HEADER=AuthorizationJwt
  2. In Nextcloud’s config.php add this:
  'onlyoffice' =>
    array (
      "jwt_secret" => "yourSecret",
      "jwt_header" => "AuthorizationJwt"
  )
  1. Then just go to Onlyoffice settings in Nextcloud, set the Onlyoffice server’s addres, put in your secret and save

Solution for normal install

  1. In /etc/onlyoffice/documentserver/local.json change all "header": "Authorization", lines to "header": "AuthorizationJwt",
  2. In Nextcloud’s config.php add this:
  'onlyoffice' =>
    array (
      "jwt_secret" => "yourSecret",
      "jwt_header" => "AuthorizationJwt"
  )
  1. Then just go to Onlyoffice settings in Nextcloud, set the Onlyoffice server’s addres, put in your secret and save