Office URI Schemes Security Considerations

[achifal]

Hello,

We use the ms-word:ofe|u|https://www.example.com/document.docx scheme in our application to be able to edit documents. The Office URI Scheme documentation contains a "Security Considerations" section for all schemes. The contents of these sections describe the need to guard against opening documents from untrusted remote systems, but do not contain information on how to do this.

We have tried enabling basic auth to secure documents, which is probably not the best approach since credentials will be constantly moving around the network, but this is just for testing to understand how it works. When we try to open a protected document in Word, we see a form asking for credentials (as in the screenshot).

However, the entered credentials do not affect the request that comes to the application and the request still does not contain an authorization header.

May I ask you to refer to existing or write new documentation on how to implement the mentioned protection? If you can share materials on this topic in advance, it will be very cool. Thanks in advance for your help!

[nhuray]

@achifal Did you find out a way to secure the access to the resource using an authorization mechanism ?

[achifal]

Hi @nhuray,
We used basic authentication for a while, but then we found out it was deprecated, so we switched to MS-OFBA, which allowed us to implement a custom authentication form that sends the necessary requests to our BE services. The link above has information on how to implement this in the sections below. For example, here you can find an overview of the communication between the client (office) and the server. However, this approach also has its downsides, since for it to work correctly, users must go to Options → Trust Center → Trust Center Settings → Form-based Sign-in on the office side and enable the Ask me what to do for each host option. With this option enabled, users must allow the host upon first authorization. Because of these downsides, we want to dive deeper into this topic sometime in the future and try other authentication protocols. You can find information about them here. We've had a quick look at these protocols and Passport Server Side Protocol seemed like a good fit for us, but we haven't tried implementing it in practice.