Reputation: 11
MS office client sends no cookie after MS-OFBA Succeeds
I'm trying to use MS-OFBA to authenticate Word and Excel documents before editing them on a web server (.Net-Core) that they're hosted on. However, after authenticating with MS-OFBA and receiving the authentication cookie Word doesn't send the cookie in subsequent OPTIONS requests (it does send it in some other requests so I can tell that it has received the cookie). As such, the web server has no way of telling whether word is authenticated or not and it gets stuck in a loop of asking word for credentials.
The MS-OCPROTO specification says this is expected behavior in one section (2.1.2.1.2.2) and then contradicts itself and says OPTIONS requests do send cookies in another (3.1). Given that I'm not receiving cookies I assume that section 2.1.2.1.2.2 is the correct section. If that's the case then how is it ever possible to authenticate word using MS-OFBA (which is specifically made for authenticating office)?
Has anyone ever used MS-OFBA to authenticate word before and if so how did you detect if word was authenticated when it doesn't send cookies on OPTIONS requests? Is there a way of using MS-OFBA so that word sends authentication outside cookies?
I'm super stuck on this so I'd be incredibly grateful for any help or pointers in the right direction
Upvotes: 0
Views: 1193
Answers (2)
Reputation: 5894
OPTIONS request should be processed without authentication, possibly this is the reason why cookies are not attached. please see the explanation about OPTIONS here: OPTIONS request authentication
IT Hit WebDAV Server Engine supports adding MS-OFBA to .NET Core projects with both 'Individual User Accounts' and 'Work or School Accounts' options since v11+. Please see how to add MS-OFBA here: https://www.webdavsystem.com/server/documentation/choosing_authentication/azure-ad-auth/
Upvotes: -1
Reputation: 309
I can confirm that once authenticated with MS-OFBA, all of the WebDAV related requests coming from Microsoft Office clients include authentication cookies.
Make sure you are following the MS-OFBA protocol to the letter, including the expected HTTP response codes.
According to this document, all requests after this response should have the cookie - note that the response code must be 302 and the redirect location must match X-FORMS_BASED_AUTH_RETURN_URL exactly.
S: HTTP/1.1 302 Object Moved
Location: https://www.contoso.com/OnSuccess.aspx
Set-Cookie: Authentication=<server-determined hash of the user’s identity>
Upvotes: 2
Related Questions
- Fedauth, rtfa cookies not found in response sharepoint online auth
- OpenIdConnectAuthentication cookie is never issued
- OpenIdConnect Correlation Cookie not found when user click link from Office application
- Office Add in not Authenticating to Webapi
- OpenId Connect middleware not setting auth cookie in an WebForms app
- Office 365 unified API (preview) requests 401 error
- Office 365 Unified API authentication request doesn't redirect to login (vs. Azure AD that does)
- Office365 - Application authentication with no user consent
- OWIN rejects authentication cookie the next day
- PCL HttpClient response ignoring cookies without a domain