We have a custom WebDAV solution using the IT Hit WebDAV server component. For authentication we are using an Identity Server 4 implementation. The authentication flow, from the user's perspective, is roughly as follows:
- Users clicks the link to the WebDAV document in the application.
- Office (in most of our test cases, Word) is opened.
- If this is the first time the user has opened a document (or the cookie has expired) a login dialogue is shown.
- The user enters their username and password, hits the login button and if successful the document is opened.
Behind the scenes the flow is similar to the following:
- A HEAD request is made to the parent folder of the document e.g. https://webdav.example.com/documents/
- The response to this request contains the headers necessary for Office to show the login dialogue. X-FORMS_BASED_AUTH_REQUIRED etc.
- Office follows the URL from the value of the X-FORMS_BASED_AUTH_REQUIRED header. e.g. https://identityserver.example.com/connect/authorize?client_id=WebDAV&response_type=code+id_token+token...
- This returns a 302 response with a location similar to: https://identityserver.example.com/account/login?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3DWebDAV%26response_type%3Dcode%2520id_token%2520token...
- Office opens this URL in the dialogue. Once the user enters their credentials and hits login a POST request is made to the login form, this returns a 302 with the location of the Identity Server callback URL e.g. https://identityserver.example.com/connect/authorize/callback?client_id=WebDAV&response_type=code%20id_token%20token...
- A GET request is made to this URL which then POSTs the Identity Server info (tokens) to the configured client callback URL e.g. https://webdav.example.com/account/callback.
- This is a custom endpoint that stores the Identity Server access token in a cookie (so that Office can use the cookie) and then responds with a 302 with the location of https://webdav.example.com/account/success. This URL is the same one configured in X-FORMS_BASED_AUTH_RETURN_URL header.
Ona Windows client this all works fine. However on a Mac (Mac OS Sierra 10.12.6) and using Office 2016 (16.11.1 (180319)) we see that the 302 response is returned from the https://webdav.example.com/account/callback URL but it's never followed, there's no GET request made to https://webdav.example.com/account/success. In addition, there are further WebDAV requests made and stepping through the code we can see that the cookie never seems to be set on the Mac despite the code to do that being executed without error.
So, what's going on?
Thanks, Stuart.