>bq. The browser won't follow the redirect in that case
Actually, the browser does follow the redirects for ajax calls _but_ since it's a redirect to the identity server, it will fail because of CORS.
Now, for the case when the identity server has proper CORS headers that make these redirects possible, they may even be functional - I haven't tested, but this also depends on the ajax call itself - e.g. if it's a POST request (a save), then the whole post will need to be replayed once authentication is finished, which a 302 doesn't really do.
So maybe, what we want to do here, is to add an option about what the behaviour should be when the authentication fails on an ajax call, to cover for the case when somebody may have setup CORS headers on the identity server and are using this with automatic redirection... The default would probably be to not redirect.
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6)
If image attachments aren't displayed, see this article.