SSO Browser redirect- HTTP 200 vs HTTP 302
As discussed in the previous post, the SAML auth flow works something like,
In our case, when the SAML library was trying to redirect to the IdP login form, the UI javascript library wasn't able to handle the 302 browser level redirects. This particular JS library was expecting an HTTP 200 response from the Backend but that wasn't possible because of the internal redirect done by the Backend code. Hmm… this put us in a pickle.. we scratched our heads for a few hours on this, performed a deep analysis of the library code, put some breakpoints, and stepped through each small operation at a time. That's when an idea struck us…
The part of code that was handling the redirect looked something like below,
(This is the library code and can be found at Library Auth)
If you observe, right at the end of the method, an attempt is made to redirect to the redirection URL which is nothing but the IdP login form.
Since we wanted to customize this behavior as per our needs, we decided to extract this particular method from our local codebase and modify it so that it caters to our needs. As I mentioned above, we didn't really want a redirect but instead an HTTP 200 response with the redirect URL. So, we just modified the redirection part of the code and instead returned the obtained URL something like below,
Voila! The problem was solved. With this change, the backend was not returning an HTTP 200 response along with the redirection URL of the IdP login form. UI could now fetch this URL and handle these redirections. Since we were using an open-source library, we also thought of contributing this potential change back to the library and that is in the works now.
The approach that we took highlights an important aspect — don't think you are restricted when using any open source library. You can always be selective about the specifics of the library you want to use and custom design your code accordingly around other things that a library offers.
Hang on… if you think this was it and we got SSO working.. you need to wait a bit and checkout for other issues we faced in the subsequent blog posts…
