SSO Redirect Handling

From Documentation
Revision as of 09:41, 8 September 2021 by Jeanher (talk | contribs)


DocumentationZK Developer's ReferenceSecurity TipsSSO Redirect Handling
SSO Redirect Handling



In this section, we assume you already know the basics of SSO (Single-Sign-On) flow like CAS web flow or Active Directory Federation Services.

AJAX request gets 302 redirect

Redirect including SSO (Single-Sign-On) handling has always been a common challenge in Ajax, and that's no exception when it comes to ZK. You may have run into this error: 

The response could not be parsed: Expected JSON format (please check console for details).
Unexpected token '<':

Or in the older ZK version: 

The server is temporarily out of service.
Would you like to try again?

(Unexpected token < (SyntaxError))


It usually happens when:

  • session timeout
  • your access token is invalid for some reason

If you check developer tool > Network, you should see a 302 redirect response on one ZK AU request:

Redirect302.jpg

The reason is there is usually a service that intercepts HTTP requests (e.g. a security filter) redirects the AU request to a login page. According to HTTP specification, browsers will follow the 302 redirect to visit the target URL transparently. So browsers will receive HTML content of the login page as a response to the AU request. But ZK client engine expects a JSON format response for an AU request. Then ZK tries to parse an HTML and fails, so that's why you see the error message above.


Solution: turn 302 to 403

Because of atomic HTTP redirect handling, browsers handle redirecting transparently. We suggest you to configure your SSO server or the security filter to return the response code 403 Forbidden instead of 302 for the situation mentioned above (session expired or invalid access token).

Next, configure the error-reload Element, then ZK can handle 403 by reloading specified login page.


For some special cases, you might need to override javascript function zAu._fetch(), please contact with us.

Library Customization Reference

Most SSO related frameworks/libraries provide customizable filters, we just list some of them for your reference:

Spring Security

Apache Shiro

CAS

OKTA



Version History

Last Update : 2021/09/08




Last Update : 2021/09/08

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.


Retrieved from "https://www.zkoss.org/_w/index.php?title=ZK_Developer%27s_Reference/Security_Tips/SSO_Redirect_Handling&oldid=51784"