Working with SSO: Ajax request

Question

I have a web application and API Server, the web application consumes API always via AJAX except in a couple of scenarios.

When I enable SSO for both, I face the well known problem - how to handle redirect in AJAX.

(A bit more details: Azure mandates that the user should login to AD only via its login page - so ideally when a webpage or an api endpoint is accessed, they should get redirected to the azure login page. Since HTTP302 redirect doesn't work well with XmlHTTP, user will not get redirected to the authentication page when API is accessed via AJAX)

I have a few options to solve this issue:

1. When the web application is authenticated redirect to a predefined api endpoint (eg: 'api/login') and that will take care of api authentication and once that is done, redirect it back to the web app. So the user will be redirected this way:

   web -> azure login -> web -> api -> azure login (auto login) -> api -> web

2. Load the api endpoint in an iframe (or an image) and wait for the load complete event

3. Authenticate only web application - Remove api from sso context and find some other of way to identify and validate the web request at API side (tokens, cookies)

Please help me to choose a right pattern.

Answer 1

AJAX follows redirects automatically:

• How to prevent ajax requests to follow redirects using jQuery
• Detecting a redirect in jQuery $.ajax?

You need to distinguish between the reply from the service and the login page, which you get after AJAX follows the redirect (but not with safari+cors!). For example, detection could be done by checking for a string inside of response body. When detected, just redirect user to the login page by document.location=<login-page-url>.

Another option would be to use a token inside of "Authorization" HTTP header instead of SSO for backend-service protection: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/