You need to add the appropriate parameters to the link that the user clicks on.
Have a look at an existing document library and see the links that it creates:
https://mytenant.sharepoint.com/_layouts/15/WopiFrame.aspx?sourcedoc={1767368F-62FB-4C40-B3F2-C4EE44E88735}&file=My%20Document.doc&action=default
If the user is not licensed for Office 365, I think that they will still be offered a download. Not entirely sure though as we don't allow that on our tenancy. Certainly if they are only provisioned with SP Online and not the rest of O365, they can view the document online but cannot edit. Though recently we've seen people still able to edit - not yet sure if that is one of Microsoft's secret updates or a mistake by them.
RESPONSES TO COMMENTS:
When I say not provisioned in the rest of O365, I really meant that they were licensed for SharePoint but not anything else (a P2 license rather than an E3), that doesn't give rights to use the online (or iPad) editors. As far as I know, the only real way to test for that is to either try it or to use an Admin account to look at the license.
You cannot "pass credentials" to WOPI since credentials for Office 365 applications come from a separate system. You have to get credentials before you are allowed to access anything in Office 365. Basically Azure AD is the service & the login is done via login.microsoft.com, the login provides a token to your browser that is exchanged with the server on every request. To reuse an existing credential, you have to be using an application that "knows" you have already logged in. Typically, Microsoft use a helper application that picks up the login from IE if that's how you logged in and makes it available to other applications such as Office. If you are using Firefox to log in, IE & Office may not know that you have done so (though there is a plugin for FF that gets installed if you let it which does the same thing).
By the way, if you know how it REALLY works, please don't shoot me down for trying to simplify the process for others. :)
