VarunArora-8583 avatar image
0 Votes"
VarunArora-8583 asked HungChunYu-3579 edited

Office Online Server secure authentication

Hello Team,

We have Office Online Server that's connected to our own custom WOPI Host for service Office docs.

We are trying to use Office Online Server in our in an iframe that's working perfectly.
Our website uses cookie based authentication and we want to secure office online server for our logged in users only.
Right now no security is configured as its still under POC development.

Can you please help us understand how can we secure access to Office Online Server for our logged in users only?


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @VarunArora-8583,

Thanks for your question. One of the Open Specifications team will respond shortly to assist.

Best regards,
Tom Jebo
Sr Escalation Engineer
Microsoft Open Specifications Support

0 Votes 0 ·

1 Answer

HungChunYu-3579 avatar image
0 Votes"
HungChunYu-3579 answered HungChunYu-3579 edited


Office Online Server doesn’t restrict access from web apps for its action URLs. One of the options is by restrict access via IIS. Here is a step-by-step guide on IIS 8.0 Dynamic IP Address Restrictions

In other words, Office Online does not do any authentication. Hosts are expected to handle authentication and authorization by providing WOPI access tokens. All user-related information is provided to Office Online by the host using properties in CheckFileInfo.

Access token

An access token is a string used by the host to determine the identity and permissions of the issuer of a WOPI request.

Access tokens must be valid for the user permissions that are provided by the host in the CheckFileInfo response. For example, if the view action is invoked, and the UserCanWrite property is set to true in the CheckFileInfo response, then the client may re-use that token when transitioning to edit mode. Thus, a WOPI client will expect that any access token is valid for operations that the user has permissions to perform. If a host wishes to issue access tokens that are more narrowly scoped, then the user permissions properties in the CheckFileInfo response must reflect the permissions that the token provides.

The WOPI host that stores the file has the information about user permissions, not the WOPI client. For this reason, the WOPI host must provide an access token that the client will then pass back to it on subsequent WOPI requests. When the WOPI host receives the token, it either validates it, or responds with an appropriate HTTP status code if the token is invalid or unauthorized.
For detail information on Access token, please refer to Key concepts under WOPI REST API References WOPI REST API Reference
Let me know if this answers your question.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.