Office Online Server secure authentication

Varun Arora 1 Reputation point
2022-03-23T21:30:48.1+00:00

Hello Team,

We have Office Online Server that's connected to our own custom WOPI Host for service Office docs.

We are trying to use Office Online Server in our in an iframe that's working perfectly.
Our website uses cookie based authentication and we want to secure office online server for our logged in users only.
Right now no security is configured as its still under POC development.

Can you please help us understand how can we secure access to Office Online Server for our logged in users only?

Thanks,
Varun

JavaScript API
JavaScript API
An Office service that supports add-ins to interact with objects in Office client applications.
863 questions
Office Development
Office Development
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Development: The process of researching, productizing, and refining new or existing technologies.
3,459 questions
Office Open Specifications
Office Open Specifications
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
119 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hung-Chun Yu 976 Reputation points Microsoft Employee
    2022-03-26T18:38:54.637+00:00

    @Varun Arora

    Office Online Server doesn’t restrict access from web apps for its action URLs. One of the options is by restrict access via IIS. Here is a step-by-step guide on IIS 8.0 Dynamic IP Address Restrictions

    In other words, Office Online does not do any authentication. Hosts are expected to handle authentication and authorization by providing WOPI access tokens. All user-related information is provided to Office Online by the host using properties in CheckFileInfo.

    Access token

    An access token is a string used by the host to determine the identity and permissions of the issuer of a WOPI request.

    Access tokens must be valid for the user permissions that are provided by the host in the CheckFileInfo response. For example, if the view action is invoked, and the UserCanWrite property is set to true in the CheckFileInfo response, then the client may re-use that token when transitioning to edit mode. Thus, a WOPI client will expect that any access token is valid for operations that the user has permissions to perform. If a host wishes to issue access tokens that are more narrowly scoped, then the user permissions properties in the CheckFileInfo response must reflect the permissions that the token provides.

    The WOPI host that stores the file has the information about user permissions, not the WOPI client. For this reason, the WOPI host must provide an access token that the client will then pass back to it on subsequent WOPI requests. When the WOPI host receives the token, it either validates it, or responds with an appropriate HTTP status code if the token is invalid or unauthorized.
    For detail information on Access token, please refer to Key concepts under WOPI REST API References WOPI REST API Reference
    Let me know if this answers your question.

    0 comments