WOPI Token - Secret Key

350 views Asked by At

I'm trying to implement WOPI on my application but im having a hard time to find the secret key to generate a token see below image for the sample code from github

Generate Token code:

public SecurityToken GenerateAccessToken(string userId, string resourceId)
    {
        var user = _userDatabase[userId];

        var tokenDescriptor = new SecurityTokenDescriptor
        {
            Subject = user.Identities.FirstOrDefault(),
            Expires = DateTime.UtcNow.AddHours(1), //access token ttl: https://wopi.readthedocs.io/projects/wopirest/en/latest/concepts.html#term-access-token-ttl
            SigningCredentials = new SigningCredentials(Key, SecurityAlgorithms.HmacSha256)
        };

        return _tokenHandler.CreateToken(tokenDescriptor);
    }

Get Key, the sample below is just a dummy key but there's no guide where to get it

private SymmetricSecurityKey Key
    {
        get
        {
            if (_key is null)
            {
                //RandomNumberGenerator rng = RandomNumberGenerator.Create();
                //byte[] key = new byte[128];
                //rng.GetBytes(key);
                var key = Encoding.ASCII.GetBytes("secretKeysecretKeysecretKey123"/* + new Random(DateTime.Now.Millisecond).Next(1,999)*/);
                _key = new SymmetricSecurityKey(key);
            }

            return _key;
        }
    }

Im using this GitHub below for the reference https://github.com/petrsvihlik/WopiHost/blob/5a1c78a9102d56b62e8023c2c045d6f056008ed2/WopiHost.FileSystemProvider/WopiSecurityHandler.cs#L66

1

There are 1 answers

0
rocky On

The implementation of the key validation is intentionally left up to the developer here. You can use the preconfigured SecurityAlgorithms.HmacSha256 or you can swap it with an asymmetric algorithm.

If you wish to continue using the symmetric key, the idea is to configure the environment with the key. So you can put your secret key in the environment variables and replace secretKeysecretKeysecretKey123 with System.Environment.GetEnvironmentVariable("WOPI_SECRET").

However, this part of the OS project is not quite finalized so it may require a little more work here and there.