How to bypass URL /download/attachments/ for Companion App in Confluence?

[afernandezanusuyia]

How do we allow this URL to bypass the enforced SSO:
• /download/attachments/
as this is how the Companion App in Confluence uses a short-lived authentication session to download the attachment

[marcquark]

The 7.2 upgrade notes describe what you need to do

https://confluence.atlassian.com/doc/confluence-7-2-upgrade-notes-979421823.html

[suedti]

Had anybody success with this approach?

We tried the following config but neither companion app nor confluence mobile app are working correctly.

Any suggenstions?

THANKS

<Location /rest/prototype/1/content>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /server-status>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /s/>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /plugins>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /images>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /rest/token-auth/api/>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /download/token-auth/attachments/>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /plugins/servlet/imgFilter>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /server-info.action>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /rest/previews/templinksresource/companion/*>
AuthType shibboleth
ShibRequireSession Off
require shibboleth

<Location /rest/org.swift.confluence.cli>
Allow from all
Satisfy any

[Rafa40]

Hi,

Is there any news about it. We allowed those urls:
/rest/token-auth/api/*
/download/token-auth/attachments/*
/plugins/servlet/imgFilter*
/rest/analytics/1.0/publish/bulk (this is only necessary if you have opted in to data collection)

but it does not work. It seems it is still blocked by /download/attachments/*

Thank you

[marcquark]

Which webserver are you using? Could you post the relevant parts of your config?

Below works for me with Apache:

        <Location /rest/token-auth/api/>
            Require all granted
        </Location>
        <Location /download/token-auth/attachments/>
            Require all granted
        </Location>
        <Location /plugins/servlet/imgFilter*>
            Require all granted
        </Location>
        <Location /rest/analytics/1.0/publish/bulk>
            Require all granted
        </Location>

[Rafa40]

Hi,

Ops! If it works for you, then, it must be something else from my servers configuration. I will investigate it deeper.
Thank you for the confirmation

[amknight]

@Rafa40 Were you eventually able to get this to work? The problem may be related to this bug: https://jira.atlassian.com/browse/CONFSERVER-63189

[Rafa40]

Hi @amknight ,

Sadly, no solution yet.
To make it work, as workaround, we added a vpn rule related /download/attachments/*
I will try again after upgrading Confluence to 7.13.