SSO Redirect Handling
In this section, we assume you already know the basics of SSO (Single-Sign-On) flow like CAS web flow or Active Directory Federation Services.
AJAX Request Gets 302 Redirect
Redirect including SSO (Single-Sign-On) handling has always been a common challenge in Ajax, and that's no exception when it comes to ZK. You may have run into this error:
The response could not be parsed: Expected JSON format (please check console for details).
Unexpected token '<':
Or in an older ZK version:
The server is temporarily out of service.
Would you like to try again?
(Unexpected token < (SyntaxError))
It usually happens when:
- session timeout
- your access token is invalid for some reason
If you check developer tool > Network, you should see a 302 Redirect response on a ZK AU request:
If this happens, it's most likely you have a service that intercepts HTTP requests (e.g. a security filter) and redirects the AU request to a login page.
According to the HTTP specification, browsers will follow the 302 redirect to visit the target URL transparently. Browsers will receive the HTML content of the login page as the response to the AU request. However, ZK client engine expects a JSON format response for an AU request, not the HTML content, and therefore reporting the error.
Solution: Turn 302 to 403
Because of atomic HTTP redirect handling, browsers handle redirecting transparently, it's not something we can change on the ZK side. What we can do is to turn the 302 into 403 so that we can handle it properly.
First, configure your SSO server or the security filter to return the response code 403 Forbidden instead of 302 for the situation mentioned above (session expired or invalid access token).
Then, configure the error-reload Element, so that ZK can handle 403 by reloading the specified login page.
Fine-Grained Control
Since 9.5.0
In some special setups, you might need to override javascript function zAu._fetch()
like
zk.afterLoad('zk', function() {
let oldFetch = zAu._fetch;
zAu._fetch = function (resource, options) {
//add your options here
options.redirect = 'error';
return oldFetch(resource, options);
}
});
Since zk sends ajax requests with fetch(), please check available options at fetch#parameters
See ZK_Client-side_Reference/General_Control/Widget_Customization
Library Customization Reference
Most SSO related frameworks/libraries provide customizable filters, here are some examples, please refer to the official and latest documents on their website:
Spring Security
Spring Reference Doc
Apache Shiro
CAS
OKTA