Question: Authentication

[AcidRaZor]

Hi,

May be a dumb question, but I'm asking anyway :)

The web app I'm playing around with already has authentication through JWT (my own provider)

I've deployed the WopiHost locally, with the WopiHost.Web on a separate instance on IIS. at a first stab, the WopiHost is replying with 401 Unauthorized. I haven't delved too much into it as they're just samples.

I'm assuming I could use my own JWT token and pop it into ViewData["access_token"] for an authenticated user and it should just work? Or am I missing something entirely here?

I'm also assuming there's still some work to do on the WopiBootstrapperController to implement this still? Or does the Controller do nothing at this stage to facilitate authorization?

I'm just looking to bring this into my own project without having to "hack" anything, preferably under the same Web project so I don't have to have both a Host and a Client.

Thanks!

[AcidRaZor]

Playing around with this some more and for some reason I'm getting a 404 if I include the JWT token for access_token which seems weird. I'm not sure if it's NGROK blocking the request considering that I don't see an incoming request on my setup. When it defaults to the "Anonymous" example, it hits again. When I use the URL (with just the access_token) in the query string without the Bearer, I get a 401, so clearly not NGROK blocking it for some reason. Seems super weird (just ramblings of a madman, ignore me)

[AcidRaZor]

Looks like if you're using a security token / JWT token for access_token, the ExecuteTestMethod throws a 404. So I'm assuming there is some kind of limit on this and you can't use a JWT token in here.

https://ffc-onenote.officeapps.live.com/hosting/ExecuteTestMethod.ashx?WOPISrc=https%3A%2F%2F3a86%2D114%2D23%2D150%2D99%2Engrok%2Dfree%2Eapp%2Fwopi%2Ffiles%2F01SJSV466HCAVY6WPPS5D2M5ES7F334FO7&access_token=eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8[trimmed]&access_token_ttl=1748008260365%2E5315&testType=&testcategory=&test=FullCheckFileInfoSchema

[petrsvihlik]

As per the docs:

A WOPI client requires no understanding of the format or content of the token.

You pass the access token from the host page (web app under your control) to the WOPI Client (office online). WOPI client uses it for authnz against the wopi host (web API under your control).
And sure it can be JWT - they use it in the official example too. https://github.com/OfficeDev/PnP-WOPI/blob/45bc12fe7f16012d45ee225bc3630c6e008a1eda/com.microsoft.dx.officewopi/Controllers/HomeController.cs#L67

In my implementation:

• AccessTokenHandler - handles authentication
• WopiAuthorizationHandler - handles resource-based authorization

The implementation is not complete yet. I might take inspiration in the official https://github.com/OfficeDev/PnP-WOPI example.

I'm also assuming there's still some work to do on the WopiBootstrapperController to implement this still? Or does the Controller do nothing at this stage to facilitate authorization?

The wopibootstrapper is not finished yet either.

I'm just looking to bring this into my own project without having to "hack" anything, preferably under the same Web project so I don't have to have both a Host and a Client.

You'll always need a host to serve the files and a client (page/frame) to host the WOPI client.