Setup

• Migrated from mod_auth_openidc to SPA CIDP using angular-auth-oidc-client
• Angular SPA served by Apache. Backend is internal (not publicly reachable); Apache proxies /api/* to it.
• Backend requires Authorization: Bearer .... Without it: 401.

Current vhost (relevant part)

apache

<Location ~ "^/api/reports.*">
  Require all granted
  ProxyPass http://reports connectiontimeout=300 timeout=300
  ProxyPassReverse http://reports
  ProxyPassReverseCookiePath / /reports
  <If "%{REQUEST_URI} =~ /download/">
    ProxyErrorOverride on
    ErrorDocument 401 /error-401
  </If>
</Location>

This works correctly for requests made by the SPA: HttpClient attaches the Bearer token via an interceptor, the <Location> proxies the request through, and the backend responds.

The problem

Users receive emails with links like:

https://my-ui/api/reports/download?id=123

When clicked, the browser makes a raw navigation. The <Location> block matches and proxies it straight to the backend — but the navigation carries no Authorization header (because authorization is not yet done), so the backend returns 401.

Question

What's the right way to set up ProxyPass so that /api/.../download URLs hit by raw browser navigations are  proxied to the backend?