SSO Redirect Handling

From Documentation
Revision as of 02:02, 22 May 2024 by Hawk (talk | contribs) (→‎Fine-Grained Control)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

SSO Redirect Handling

In this section, we assume you already know the basics of SSO (Single-Sign-On) flow like CAS web flow or Active Directory Federation Services.

AJAX Request Gets 302 Redirect

Redirect including SSO (Single-Sign-On) handling has always been a common challenge in Ajax, and that's no exception when it comes to ZK. You may have run into this error:

The response could not be parsed: Expected JSON format (please check console for details).
Unexpected token '<':

Or in an older ZK version:

The server is temporarily out of service.
Would you like to try again?

(Unexpected token < (SyntaxError))

It usually happens when:

  • session timeout
  • your access token is invalid for some reason

If you check developer tool > Network, you should see a 302 Redirect response on a ZK AU request:


If this happens, it's most likely you have a service that intercepts HTTP requests (e.g. a security filter) and redirects the AU request to a login page.

According to the HTTP specification, browsers will follow the 302 redirect to visit the target URL transparently. Browsers will receive the HTML content of the login page as the response to the AU request. However, ZK client engine expects a JSON format response for an AU request, not the HTML content, and therefore reporting the error.

Solution: Turn 302 to 403

Because of atomic HTTP redirect handling, browsers handle redirecting transparently, it's not something we can change on the ZK side. What we can do is to turn the 302 into 403 so that we can handle it properly.

First, configure your SSO server or the security filter to return the response code 403 Forbidden instead of 302 for the situation mentioned above (session expired or invalid access token).

Then, configure the error-reload Element, so that ZK can handle 403 by reloading the specified login page.

Fine-Grained Control

Since 9.5.0 In some special setups, you might need to override javascript function zAu._fetch() like

zk.afterLoad('zk', function() {
    let oldFetch = zAu._fetch;
    zAu._fetch = function (resource, options) {
       //add your options here
        options.redirect = 'error';
        return oldFetch(resource, options);

Since zk sends ajax requests with fetch(), please check available options at fetch#parameters

See ZK_Client-side_Reference/General_Control/Widget_Customization

Library Customization Reference

Most SSO related frameworks/libraries provide customizable filters, here are some examples, please refer to the official and latest documents on their website:

Spring Security

Spring Reference Doc

Apache Shiro



Last Update : 2024/05/22

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.