SSO Redirect Handling"
(Created page with "{{ZKDevelopersReferencePageHeader}} In this section, I will assume you already know the basics about SSO (Single-Sign-On) flow like [https://apereo.github.io/cas/4.2.x/proto...") |
m |
||
Line 2: | Line 2: | ||
− | In this section, | + | In this section, we assume you already know the basics of SSO (Single-Sign-On) flow like [https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html) CAS web flow] or [https://docs.microsoft.com/en-us/archive/blogs/askds/understanding-the-ad-fs-2-0-proxy Active Directory Federation Services]. |
− | = AJAX request gets 302 redirect | + | = AJAX request gets 302 redirect = |
− | + | Redirect including SSO (Single-Sign-On) handling has always been a common challenge in Ajax, and that's no exception when it comes to ZK. You may have run into this error: | |
<syntaxhighlight lang='text'> | <syntaxhighlight lang='text'> |
Revision as of 09:41, 8 September 2021
In this section, we assume you already know the basics of SSO (Single-Sign-On) flow like CAS web flow or Active Directory Federation Services.
AJAX request gets 302 redirect
Redirect including SSO (Single-Sign-On) handling has always been a common challenge in Ajax, and that's no exception when it comes to ZK. You may have run into this error:
The response could not be parsed: Expected JSON format (please check console for details).
Unexpected token '<':
Or in the older ZK version:
The server is temporarily out of service.
Would you like to try again?
(Unexpected token < (SyntaxError))
It usually happens when:
- session timeout
- your access token is invalid for some reason
If you check developer tool > Network, you should see a 302 redirect response on one ZK AU request:
The reason is there is usually a service that intercepts HTTP requests (e.g. a security filter) redirects the AU request to a login page. According to HTTP specification, browsers will follow the 302 redirect to visit the target URL transparently. So browsers will receive HTML content of the login page as a response to the AU request. But ZK client engine expects a JSON format response for an AU request. Then ZK tries to parse an HTML and fails, so that's why you see the error message above.
Solution: turn 302 to 403
Because of atomic HTTP redirect handling, browsers handle redirecting transparently. We suggest you to configure your SSO server or the security filter to return the response code 403 Forbidden instead of 302 for the situation mentioned above (session expired or invalid access token).
Next, configure the error-reload Element, then ZK can handle 403 by reloading specified login page.
For some special cases, you might need to override javascript function zAu._fetch()
, please contact with us.
Library Customization Reference
Most SSO related frameworks/libraries provide customizable filters, we just list some of them for your reference:
Spring Security
- the example to configure the response 403
- 10.9. AbstractAuthenticationProcessingFilter
- AuthenticationFailureHandler (javadocs)
Apache Shiro
CAS
OKTA
Version History