Enablement for OnlyOffice integration

[micbar]

Feature

Use OnlyOffice with a Full Stack ocis Instance.

Building Blocks

Challenges

1. How would the document server authenticate requests whithout a user context?
2. How does the connector service create a user context for the Storage Server?

[micbar]

@butonic @wkloucek @dragotin

We need to help OnlyOffice on the Fastlane IMO.

@wkloucek How does the Collabora / WOPI Server stack solves this issue conceptually?

[wkloucek]

On a file open action the user is redirected to Collabora with an access token as parameter, which will be used by Collabora to authenticate against the CS3 WOPI server. The CS3 WOPI server will then will use an access token embedded in the outer access token to authenticate against REVA. Example, you can just inspect the access_token=ey... part with jwt.io: https://collabora.ocis-wopi.latest.owncloud.works/loleaflet/4aa2794/loleaflet.html?permission=edit&WOPISrc=https%3A%2F%2Fwopiserver.ocis-wopi.latest.owncloud.works%2Fwopi%2Ffiles%2F1284d238-aa92-42ce-bdc4-0b0000009157-MjVlMzMwNDQtZWU3OC00YjA1LTk5ZjUtZWFiZDM0NTVkNmQ3&access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyaWQiOiJleUpoYkdjaU9pSklVekkxTmlJc0luUjVjQ0k2SWtwWFZDSjkuZXlKaGRXUWlPaUp5WlhaaElpd2laWGh3SWpveE5qSXpNRGN6TWpZM0xDSnBZWFFpT2pFMk1qTXdOek15TURjc0ltbHpjeUk2SW1oMGRIQnpPaTh2YjJOcGN5NXZZMmx6TFhkdmNHa3ViR0YwWlhOMExtOTNibU5zYjNWa0xuZHZjbXR6SWl3aWRYTmxjaUk2ZXlKcFpDSTZleUpwWkhBaU9pSm9kSFJ3Y3pvdkwyOWphWE11YjJOcGN5MTNiM0JwTG14aGRHVnpkQzV2ZDI1amJHOTFaQzUzYjNKcmN5SXNJbTl3WVhGMVpWOXBaQ0k2SWpSak5URXdZV1JoTFdNNE5tSXRORGd4TlMwNE9ESXdMVFF5WTJSbU9ESmpNMlExTVNKOUxDSjFjMlZ5Ym1GdFpTSTZJbVZwYm5OMFpXbHVJaXdpYldGcGJDSTZJbVZwYm5OMFpXbHVRR1Y0WVcxd2JHVXViM0puSWl3aWJXRnBiRjkyWlhKcFptbGxaQ0k2ZEhKMVpTd2laR2x6Y0d4aGVWOXVZVzFsSWpvaVFXeGlaWEowSUVWcGJuTjBaV2x1SWl3aVozSnZkWEJ6SWpwYkluVnpaWEp6SWl3aWMyRnBiR2x1Wnkxc2IzWmxjbk1pTENKMmFXOXNhVzR0YUdGMFpYSnpJaXdpY0doNWMybGpjeTFzYjNabGNuTWlYU3dpYjNCaGNYVmxJanA3SW0xaGNDSTZleUpuYVdRaU9uc2laR1ZqYjJSbGNpSTZJbkJzWVdsdUlpd2lkbUZzZFdVaU9pSk5la0YzVFVSQlBTSjlMQ0p5YjJ4bGN5STZleUprWldOdlpHVnlJam9pYW5OdmJpSXNJblpoYkhWbElqb2lWM2xLYTA0eVNteGFWMVpvVDBNd05GcHRXVEJNVkZGM1RtMUpkRTlIV21sT2FURm9XV3BLYTFwRVozaGFWRnBwVFZSRmFWaFJQVDBpZlN3aWRXbGtJanA3SW1SbFkyOWtaWElpT2lKd2JHRnBiaUlzSW5aaGJIVmxJam9pVFdwQmQwMUVRVDBpZlgxOWZTd2ljMk52Y0dVaU9uc2lkWE5sY2lJNmV5SnlaWE52ZFhKalpTSTZleUprWldOdlpHVnlJam9pYW5OdmJpSXNJblpoYkhWbElqb2laWGxLZDFsWVVtOUphbTlwVEhsS09TSjlMQ0p5YjJ4bElqb3hmWDE5Lm1IeWRQb3NPNm9GZ1p0eklQcnRWT1Nydmp5aHVSYk5oZ2pMVXlpTEl5eW8iLCJmaWxlbmFtZSI6Ii91c2Vycy80YzUxMGFkYS1jODZiLTQ4MTUtODgyMC00MmNkZjgyYzNkNTEvTmV3IGZpbGUub2R0IiwidXNlcm5hbWUiOiJBbGJlcnQgRWluc3RlaW4iLCJ2aWV3bW9kZSI6IlZJRVdfTU9ERV9SRUFEX1dSSVRFIiwiZm9sZGVydXJsIjoiL2hvbWUiLCJleHAiOjE2MjMxNTk2MDcsImVuZHBvaW50IjoiMTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTU3In0.pIbqBbv76I2VV7f8FMdW0EWgYhJU603friSNkFEv1Uc

This could basically also done with just one access token if the OnlyOffice connector is talking to Reva and providing a custom API for OnlyOffice.

This is automatically send by ownCloud Web.
You need to add a middleware to use it:
https://github.com/owncloud/ocis-wopiserver/blob/b4935f59799e637b3324c2e02c06c79db994dfa1/pkg/server/http/server.go#L42-L45

And then you can use it like this:
https://github.com/owncloud/ocis-wopiserver/blob/b4935f59799e637b3324c2e02c06c79db994dfa1/pkg/service/v0/service.go#L118

[pascalwengerter]

@rpocklin saw you working on sth similar in web so adding you to the loop / keeping you posted 😉

[pmaier1]

@Antipkin-A @LinneyS FYI

[wkloucek]

Questions

1. How should one configure CS3 client when working from our plugin? Is
   there a possibility to load the pre-configured client?

   • REVA gateway client example https://github.com/cs3org/reva/blob/183af2f94288991e177b41e6bbe44aaa9cfe3baf/cmd/reva/grpc.go#L49

2. How can we send an authorized CS3 API request on behalf of the user
   from plugin backend? In the chat you specified that such a request might
   be sent via go context, but afterwards it is unclear for us which key
   has to be used, i.e. the key that other services will check for the
   authorization token presence.

   • oCIS proxy always sends REVA token with requests (

     ocis/proxy/pkg/middleware/account_resolver.go

     Line 123 in 2927dc4

     req.Header.Set(revactx.TokenHeader, token)

     ), therefore it is present in the "x-access-token" header

   • this token can than be put in an ctx https://github.com/cs3org/reva/blob/183af2f94288991e177b41e6bbe44aaa9cfe3baf/cmd/reva/grpc.go#L44-L45 and the context needs to be passed to the grpc request https://github.com/cs3org/reva/blob/183af2f94288991e177b41e6bbe44aaa9cfe3baf/cmd/reva/upload.go#L106

3. Do you have any simple usage example of CS3 API InitiateFileDownload
   and InitiateFileUpload methods?

   • upload https://github.com/cs3org/reva/blob/master/cmd/reva/upload.go
   • download https://github.com/cs3org/reva/blob/master/cmd/reva/download.go

4. Is there any data that must be additionally encrypted when sent to
   the Document Server that might be hosted on another server?

   • https should be always used (with insecure option for development)
   • there is no file encryption

Implementation recommendation

1. app provider
   • demo implementation only https://github.com/cs3org/reva/blob/master/pkg/app/provider/demo/demo.go
   • wopi example https://github.com/cs3org/reva/blob/f004c26ecbc20e21543d6db27e2d5bfce9022146/pkg/app/provider/wopi/wopi.go#L120

App provider workflow

1. only office driver registers itself at the app registry https://github.com/cs3org/reva/blob/f004c26ecbc20e21543d6db27e2d5bfce9022146/pkg/app/provider/demo/demo.go#L35 with mimetypes it can handle and additional information https://github.com/cs3org/cs3apis/blob/63c2cee07f9008758a48691dfa45e4181b800b81/cs3/app/registry/v1beta1/resources.proto#L34-L59
2. if a user decides to open a file with only office "GetAppURL" will be called in the only office driver: https://github.com/cs3org/reva/blob/f004c26ecbc20e21543d6db27e2d5bfce9022146/pkg/app/provider/demo/demo.go#L42-L48. This will lead ownCloud Web to open the given content in an iframe (as a form post or with a http get, is currently being implemented).

In order for this to work you need a server that:

• serves some html wich can be embedded into that iframe

The html in the iframe can receive a token and additional information via from parameters (form post) or as headers (http get).

The token can then be used to load the document via the CS3APIs and display it (from the backend which also served the html)

[wkloucek]

In order that OnlyOffice works with the CS3 WOPI server, we need this patch: cs3org/wopiserver#47

Then following deployment can open and edit files with OnlyOffice: #2478

[glpatcern]

In order that OnlyOffice works with the CS3 WOPI server, we need this patch: cs3org/wopiserver#47

Actually with the latest fixes where Reva mints short tokens for WOPI, that patch ought to be obsolete. And if not, to be rediscussed but I still have the conceptual concern I had put there: I don't think it's good for WOPI to inspect the Reva token, so far WOPI considers it totally as an opaque info representing the user's credentials.

[wkloucek]

OnlyOffice with WOPI in oCIS can now be tried out here: https://owncloud.dev/ocis/deployment/continuous_deployment/#ocis-with-wopi-server

[wkloucek]

@micbar @pmaier1 When is this ticked done? I pinged OnlyOffice in the chat and they will have a look at the current WOPI setup. So this should be fine for now?

[kulmann]

Yes, I think we can close here. Anything else (bugs or future features) deserves new, dedicated issues.