errors opening protected link from Excel

[hmoffatt]

I've got some URLs protected by mod_auth_openidc (2.4.4.1) embedded in an Excel spreadsheet. When I try to open them, I end up at a 500 Internal server error page from the module in my browser.

The access log shows that Excel tries to open the link first and only passes it to the browser once it's hit the redirect link.

<IP> - - [01/Jul/2021:11:36:41 +1000] "HEAD /my_url?my_arg=1 HTTP/1.1" 401 433 "-" "Microsoft Office Excel 2014"
<IP> - - [01/Jul/2021:11:36:41 +1000] "GET /my_url?my_arg=1 HTTP/2.0" 302 1482 "-" "Mozilla/4.0 (compatible; ms-office)"
<IP> - - [01/Jul/2021:11:36:42 +1000] "GET /_redirect_uri?state=PbqeJBX5fUKWG37AegG4dzNvXlU&session_state=e5b47b86-6df8-44ed-a0c1-ff37e3e5480f&code=3c6bde81-5406-4c02-a2d6-498be1ed5e9b.e5b47b86-6df8-44ed-a0c1-ff37e3e5480f.af112205-ace6-4242-9e16-64e9627c5fb6 HTTP/2.0" 500 670 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"

The error log shows

[Thu Jul 01 11:37:49.920829 2021] [auth_openidc:warn] [pid 13839:tid 140204494821120] [client <IP>:57984] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_5NFCiq3rP_WjqCg1V0DRtPEQy1s) has expired (original_url=https://host.domain.com/my_url?my_arg=1)
[Thu Jul 01 11:37:49.921117 2021] [auth_openidc:warn] [pid 13839:tid 140204494821120] [client <IP>:57984] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_IYMDJG6Ku2uID3wxax7NRDKbGKo) has expired (original_url=https://host.domain.com/my_url?my_arg=1)
[Thu Jul 01 11:37:50.252514 2021] [auth_openidc:error] [pid 13839:tid 140204494821120] [client <IP>:57988] oidc_restore_proto_state: no "mod_auth_openidc_state_Oct3RK9YakGUzTser7OCkf-_hEo" state cookie found
[Thu Jul 01 11:37:50.252726 2021] [auth_openidc:error] [pid 13839:tid 140204494821120] [client <IP>:57988] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:809: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 781]
[Thu Jul 01 11:37:50.252790 2021] [auth_openidc:error] [pid 13839:tid 140204494821120] [client <IP>:57988] oidc_authorization_response_match_state: unable to restore state
[Thu Jul 01 11:37:50.252840 2021] [auth_openidc:error] [pid 13839:tid 140204494821120] [client <IP>:57988] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...

Is there any way to make this work, or failing that, make the error a bit more user friendly? What does setting the default SSO URL actually do in this case?

Thanks,
Hamish

[Meheni]

Hi,

i have the same error with microsoft word.
Did you find a solution ?

best regards,
meheni

[hmoffatt]

Unfortunately no I did not.

[zandbelt]

this is because session cookies are not shared between the browser and the offfice app; you'll have to refer to the MS docs to find out how to circumvent this but I'm not sure it is feasible without security implications

[Meheni]

Hi,

I found this solution but I don't know if there is a security impact?

OIDCUnAuthAction pass '%{HTTP_USER_AGENT} == "Mozilla/4.0 (compatible; ms-office)"'

best regards,
Meheni

[zandbelt]

that's providing unauthenticated access to any browser that sets its user agent header to that value, so it basically renders your content unprotected, that's probably not what you want unless the content is public indeed (but then you don't need to apply authentication at all)

[Meheni]

Thank you for those comments.

indeed, this is not what I want to do, but it is the only solution that I have found currently for users because it is not possible to modify the windows registry for each user.

Without the parameter OIDCUnAuthAction pass '%{HTTP_USER_AGENT} == "Mozilla/4.0 (compatible; ms-office)"', I have this :

   2021-12-03 13:44:41,846 GET /app **401** - IP 1 - "-" "Microsoft Office Excel 2014 (16.0.13127) Windows NT 10.0" YaoROcfjhgj7Pcm3@gAAAAM "-" "-" "401" "-" "-" "401" "-" "401" mlbcookie: "-" "-"
   2021-12-03 13:44:41,936 GET /app/ **302** - IP 0 598 "-" "Mozilla/4.0 (compatible; ms-office)" YaoROdghsawheDmWhfgAAAQ "-" "-" "302" "-" "-" "302" "-" "302" mlbcookie: "-" "-"

and the error message after authentication:

[Thu Jul 01 11:37:50.252514 2021] [auth_openidc:error] [pid 13839:tid 140204494821120] [client <IP>:57988] oidc_restore_proto_state: no "mod_auth_openidc_state_Oct3RK9YakGUzTser7OCkf-_hEo" state cookie found

with the parameter OIDCUnAuthAction pass '%{HTTP_USER_AGENT} == "Mozilla/4.0 (compatible; ms-office)"', I have this :

2021-12-03 13:46:09,486 HEAD /app 302 - IP 1 - "-" "Microsoft Office Excel 2014 (16.0.13127) Windows NT 10.0" YaoRkXfK@ytytreqQnpD-QAAAAs "-" "-" "302" "-" "-" "302" "-" "302" mlbcookie: "-" "-"
2021-12-03 13:46:09,581 GET /app/index.php 200 "" IP  2 2135 "-" "Mozilla/4.0 (compatible; ms-office)" YaoRkRvuYtX5Mh1Xo2R-pgAAAAw "-" "-" "200" "" "-" "200" "-" "200" mlbcookie: "-" "-"
2021-12-03 13:46:10,298 GET /app/ 302 - IP 0 598 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36" YaoRkqjO6rtyrtezecEQAAAA0 "-" "-" "302" "-" "-" "302" "-" "302" mlbcookie: "-" "-"

we see that there is a redirection of the browser without the headers from MS-office to the OP, which means that after authentication, it finds its session well.

[zandbelt]

even if there's no session "pass" would allow the request, that's the point that I'm trying to make