There is 1 comment.
 
 
OpenId Connect / cid:jira-generated-image-avatar-d4a509a1-3a1f-48e6-96dd-4d81365960dc OIDC-234 Closed

The authenticator should not redirect in the case of an ajax request

 
View issue   ยท   Add comment
 

1 comment

 
cid:jira-generated-image-avatar-de15dc02-b9cd-42a6-b967-812208e9d060 Anca Luca on 27/May/25 18:29
 
> bq. The browser won't follow the redirect in that case

Actually, the browser does follow the redirects for ajax calls _but_ since it's a redirect to the identity server, it will fail because of CORS.

Now, for the case when the identity server has proper CORS headers that make these redirects possible, they may even be functional - I haven't tested, but this also depends on the ajax call itself - e.g. if it's a POST request (a save), then the whole post will need to be replayed once authentication is finished, which a 302 doesn't really do.

So maybe, what we want to do here, is to add an option about what the behaviour should be when the authentication fails on an ajax call, to cover for the case when somebody may have setup CORS headers on the identity server and are using this with automatic redirection... The default would probably be to not redirect.