Hi, I can finally confirm that with upgrading to Zero 12.4.2 these old sessions are being cleared.
Hello @ismcagdas, How can we resolve this now? I think it's something that should be fixed properly in the next Zero version, as the current entities created by Power Tools are clearly buggy. I see the following issues:
I think this calls for implementing task cancellation in the backend and some UI optimization to make look and feel consistent?
Any news on this please..? We need to fix this soon for our customers. Thanks again!
It's an updated solution but I think we have overwritten all those "basic" parts with the files of the brand new 12.4.2 project. I'll check when there is some time left for this!
Thanks for your reply. I had a look at this documentation in the past already, but unfortunately that won't work in this case, at least as far as I understand.
The essential part is that the Onlyoffice server must be able to make calls to our Zero endpoint. Onlyoffice provides a token with that, signed with a security key that both sides share. We have no chance to change anything on the Onlyoffice side, except for the security key of course. We don't have user context with these calls, but that's not an issue because we know the record id of the concerned document in our database. So basically we need a Zero endpoint accepting the calls from Onlyoffice and verifying the token against a shared security key as they are.
It worked fine in Zero 8.1 with adding this to AuthConfigurer.cs (and the related settings in appconfig.json of course):
[...]
public static void Configure(IServiceCollection services, IConfiguration configuration)
{
[...]
if (bool.Parse(configuration["OnlyOffice:IsEnabled"]))
{
var securityKey = new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes(configuration["OnlyOffice:CallBackSecret"]));
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer("OnlyOfficeBearerToken",
options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateAudience = false,
ValidateActor = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
IssuerSigningKey = securityKey //the security key shared with Onlyoffice
};
options.RequireHttpsMetadata = false;
options.SaveToken = true;
});
}
[...]
...and creating a controller for the Zero API endpoint like this:
public class DocumentController : XXXControllerBase
[...]
[DisableAuditing]
[Authorize(AuthenticationSchemes = "OnlyOfficeBearerToken")]
[HttpPost]
[RequestSizeLimit(100_000_000)]
public async Task OnlyOfficeCallbackHandler()
{
Claim payloadclaim = this.HttpContext.User.FindFirst(c => c.Type == "payload");
string body = payloadclaim?.Value;
//proceed body etc...
[...]
With Zero 12.4.2, it doesn't accept the token from Onlyoffice anymore, as mentioned initially:
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '1'.
Number of keys in Configuration: '0'.
Exceptions caught:
'[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignatureAndIssuerSecurityKey(String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown)
--- End of stack trace from previous location ---
I hope that I could explain it in such a way that it makes sense to you :-)
Hi @ismcagdas
When calling/opening Onlyoffice, we have to build the token like this from the Angular frontend:
let oHeader = { alg: 'HS256', typ: 'JWT' };
let sHeader = JSON.stringify(oHeader);
let sPayload = JSON.stringify(config);
let sJWT = KJUR.jws.JWS.sign('HS256', sHeader, sPayload, this.officeCredentials);
This token was and is still fine, it's accepted by Onlyoffice with the same officeCredentials configured. Onlyoffice is then downloading the document from Zero backend via /File/DownloadTempFile/....
Onlyoffice then starts to make calls back to the Zero backend, where it builds the token in the same way (as described here https://api.onlyoffice.com/editors/security). We have a custom controller/endpoint class which handles these callbacks for status handling and saving the document back to our DB on closing. This is the part that worked with 8.1, but doesn't with 12.4.2, as described in my original post:
public class DocumentController : XXXControllerBase
[...]
[DisableAuditing]
[Authorize(AuthenticationSchemes = "OnlyOfficeBearerToken")]
[HttpPost]
[RequestSizeLimit(100_000_000)]
public async Task OnlyOfficeCallbackHandler()
{
Claim payloadclaim = this.HttpContext.User.FindFirst(c => c.Type == "payload");
string body = payloadclaim?.Value;
//proceed body etc...
Hi, Thanks for this information. Updating will take a while - just to confirm, 12.4.2 contains a fix regarding idle connections that 12.1.0 doesn't contain? Because 12.1.0 also had idle connections "ClientRead" older than 300 seconds, even shortly after startup and without any load at all. Those should get closed too, right?