ONLYOFFICE - JWS secret doesn't work (can connect without)

Question

I'm running ONLYOFFICE Document Server under an https:// vhost on nginx on Ubuntu Server 18.04 LTS. It's reachable at onlyoffice.example.com and I also have a Nextcloud instance at nextcloud.example.com that it integrates with.

To prevent unauthorised access to my server, I used to have a JWT authentication key inside my /etc/onlyoffice/documentserver/default.json file for browser, inbox, outbox and session strings. After updating to version 5.2.0, I had to reset my default.json file to default (from the GitHub repository) as ONLYOFFICE would not work otherwise for some reason (?), and then I set my PostgreSQL DB password correctly as well as the four key strings (all equal) mentioned above.

I also ensured that secret key authentication was set on true for all three options (browser, inbox and outbox).

Then I ran:

#: supervisorctl restart all
#: systemctl restart nginx

and successfully restarted my webserver and ONLYOFFICE.

When I go into Nextcloud ONLYOFFICE settings, with no key entered my instance works perfectly. If instead I specify any secret key (including the correct very one), it gives me the following error

Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.)

It's worth nothing that this way there is no security at all, and anyone can use my ONLYOFFICE Document Server for free on their systems.

Here's a screenshot of the relevant part (starting at line 132) of my /etc/onlyoffice/documentserver/default.json file (where the red X is, I covered my secret key in Snipping Tool for privacy).

Answer 1

After additional tests, I tried to intentionally replace the database password in the default.json file with a wrong one, and to my great surprise, ONLYOFFICE still worked! I even deleted important entries, and ONLYOFFICE didn't bat an eye.
This meant that ONLYOFFICE was looking at another config file. I did:

root@server:/# ls /etc/onlyoffice/documentserver

and I discovered that there are several other config files after the update to 5.2:

default.json            development-mac.json      log4js     production-linux.json
default.json.dpkg-dist  development-windows.json  logrotate  production-windows.json
default.json.old        local.json                nginx      supervisor

I inspected the different config files and it looks like local.json contains my correct PostgreSQL configuration, the default "secret" keys and minimal options for enabling/disabling them. It's a 44-line long file, vs the 241 lines in default.json.
I correctly configured my local.json file and finally, Nextcloud gave me a token error. I updated secret key info in Nextcloud ONLYOFFICE settings and now JWS authentication is working properly!

TL;DR

A poorly documented change with ONLYOFFICE version 5.2.0 consists in the config file no longer being /etc/onlyoffice/documentserver/default.json, but now rather /etc/onlyoffice/documentserver/local.json. Hence, to modify ONLYOFFICE configuration, the file to edit now is /etc/onlyoffice/documentserver/local.json.

Answer 2

I have been trying to resolve the same issue - I have a docker container setup so based on the feedback - I was able to locate my token as per the screenshot provided and instead of modifying any file I was able to add the token in the GUI under only office as per screenshot attached - Then OnlyOffice worked as expected

Hope that helps

onlyoffice settings