Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Clicking links from MS Office apps: "IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null." #78
When users click on links in documents from native MS Office apps (notably Word, Excel, PowerPoint but not Outlook or OneNote) and the linked web app is using the
The other symptom is that two tabs open in the browser, one with the callback endpoint (showing the IDX10311 error) and the other tab with the app's default redirect URL (as if
Otherwise auth works fine including in-browser links from external sites and even same office document opened HTML versions of Office. Also seems to be browser independent and repros in Edge, Chrome, FF.
The root cause is that office apps are doing background pre-fetch requests to test the link in a sandboxed browser before launching a real browser for the user. The office app also follows the HTTP 302 redirects the AAD login page (the one which does a JS post-back to the reply URL) and launches the browser with the login page URL (instead of the initial link URL). However since the initial 302 redirect that set the nonce cookie happened in the sandboxed browser, the real browser doesn't have the nonce cookie to match the nonce in the login page's URL = the IDX10311 error.
Ultimately I think the real fix here is for Office to make the pre-fetches compatible with single-sign-on flows. However one way to mitigate this server-side is to intercept pre-fetch requests generated by the office apps and return blanket 200 OK responses (preempting the auth challenges/redirects). Implemented it as an OWIN middleware:
Issues reporting similar symptoms, but different root causes/fixes:
Perhaps I'm missing something, but if MS Office would just do its prefetch request, and then pass the original hyperlink to the browser (instead of some mid-authentication link it ended up at), we wouldn't be having this issue.
We've applied @smichtch's work-around and it worked beautifully. But recently things changed again: when Excel is in protected view and the user clicks on a hyperlink inside that Excel file, Office will use a different user-agent header for its prefetch request that does not include any trace of Office. This effectively destroys the work-around.
So in that case we're again facing with the error:
(Note that before updating to v4.0.0 of the
So we decided to give in and disable the Nonce validation with something like this in our Startup class:
But now when clicking a link in Office, we get an OpenIdConnectProtocolException:
So now our application ignores the absence of the Nonce, but at some lower level in Azure it's still required...?
Is there any more we can do?
Also, I couldn't find the Office counterpart of this issue. Anyone know where to look?
Just to pile in and add additional context, we recently experienced the same issue -- Excel would open two tabs when clicking a link to our ASP.NET web app. The problem began after we changed over from forms identity authentication to using OpenIDConnect authentication with Azure ActiveDirectory.
We did find that the Microsoft EasyFix download tool would resolve it (link below), however we did not want to have to install that on every computer. Using smichtch's code above resolved the issue as well.
Thanks for the solution guys! EasyFix worked for me too. Earlier, I was also facing the same problem. Do we know how can everyone get the similar fix? I mean will Microsoft push a WIndows Update or Office Update for this fix? If yes, then is there any way I can check when will it get rollout?