Ajax and non-Ajax calls with OIDC in Helidon SE

Question

We're developing a Single-Page Application using Helidon SE as the api and webserver. We are struggling how to configure OIDC authentication using Auth0.

We are not sure about the following: If the webapp does an AJAX call, and the user is not authenticated, we do expect the server to respond with a 401 and the info on how to redirect to authenticate. If there is a non-Ajax call, we expect the server to respond with a redirect to the auth provider.

We are not sure how to configure Helidon SE (v3) to achieve this behavior

We've tried several tutorials and examples on using OIDC in Helidon SE, but were not able to achieve the desired behavior as described previously.

What's the configuration for Helidon/architecture for the SPA to handle authentication using Auth0, considering there is a mix of Ajax and non-ajax calls.

We clearly have a lack of understanding here on how to build such an application

Answer 1

The requirement has nothing to do with Helidon or any server for that matter.

If you make a fetch call from the page and the call returns with HTTP 400 series error or redirect status code, the JS handler on the page could just trigger a refresh of the current document. This would force a fresh pull of the index page form the server - which would/should redirect the GET request to the login page due to auth expiry.

Answer 2

Here's the response coming from our Helidon Security SME:

Our OIDC support works the way, that it if user is not authenticated, it return 307 redirect to the identity server login page. That is his "non-Ajax" way of doing it.

If he wants us to fail with 401 status in case of Ajax call and send details on how to log in, I do not think this is possible. It is possible to fail with 401 instead of 307, but not with specific details on where to redirect or what to do. This is done via configuration if one disables redirection, however this also disables the "non-Ajax" approach.