SSO Redirect Handling"
| Line 34: | Line 34: | ||
According to the HTTP specification, browsers will follow the 302 redirect to visit the target URL transparently. Browsers will receive HTML content of the login page as the response to the AU request. However, ZK client engine expects a JSON format response for an AU request, not the HTML content, and therefore reporting the error. | According to the HTTP specification, browsers will follow the 302 redirect to visit the target URL transparently. Browsers will receive HTML content of the login page as the response to the AU request. However, ZK client engine expects a JSON format response for an AU request, not the HTML content, and therefore reporting the error. | ||
| − | == Solution: | + | == Solution: Turn 302 to 403 == |
Because of [https://fetch.spec.whatwg.org/#atomic-http-redirect-handling atomic HTTP redirect handling], browsers handle redirecting transparently, it's not something we can change on the ZK side. We suggest you to first configure your SSO server or the security filter to return the response code '''403 Forbidden''' instead of 302 for the situation mentioned above (session expired or invalid access token). | Because of [https://fetch.spec.whatwg.org/#atomic-http-redirect-handling atomic HTTP redirect handling], browsers handle redirecting transparently, it's not something we can change on the ZK side. We suggest you to first configure your SSO server or the security filter to return the response code '''403 Forbidden''' instead of 302 for the situation mentioned above (session expired or invalid access token). | ||
Revision as of 09:52, 8 September 2021
In this section, we assume you already know the basics of SSO (Single-Sign-On) flow like CAS web flow or Active Directory Federation Services.
AJAX request gets 302 redirect
Redirect including SSO (Single-Sign-On) handling has always been a common challenge in Ajax, and that's no exception when it comes to ZK. You may have run into this error:
The response could not be parsed: Expected JSON format (please check console for details).
Unexpected token '<':
Or in an older ZK version:
The server is temporarily out of service.
Would you like to try again?
(Unexpected token < (SyntaxError))
It usually happens when:
- session timeout
- your access token is invalid for some reason
If you check developer tool > Network, you should see a 302 redirect response on a ZK AU request:
If this happens, it's most likely you have a service that intercepts HTTP requests (e.g. a security filter) and redirects the AU request to a login page.
According to the HTTP specification, browsers will follow the 302 redirect to visit the target URL transparently. Browsers will receive HTML content of the login page as the response to the AU request. However, ZK client engine expects a JSON format response for an AU request, not the HTML content, and therefore reporting the error.
Solution: Turn 302 to 403
Because of atomic HTTP redirect handling, browsers handle redirecting transparently, it's not something we can change on the ZK side. We suggest you to first configure your SSO server or the security filter to return the response code 403 Forbidden instead of 302 for the situation mentioned above (session expired or invalid access token).
Then, configure the error-reload Element, so that ZK can handle 403 by reloading the specified login page.
In some special set up, you might need to override javascript function zAu._fetch(). If you are not sure how to, please contact ZK support.
Library Customization Reference
Most SSO related frameworks/libraries provide customizable filters, we just list some of them for your reference:
Spring Security
- the example to configure the response 403
- 10.9. AbstractAuthenticationProcessingFilter
- AuthenticationFailureHandler (javadocs)
Apache Shiro
CAS
OKTA
Version History