Open ayoho opened 10 months ago
The property name is too long. I won't be able to attend the design issues call, but the guidance for config attributes is that the title should be less than 50 characters (which includes spaces), this attribute name is longer than that.
Design call notes:
send401ForUnauthenticatedXMLHttpRequest
to something more generic
unauthenticatedXHRStatusCode
? unauthenticatedXHRReturnCode
?
A customer has requested that we enhance the OpenID Connect client feature to allow returning 401 responses back for unauthenticated requests to protected resources that originated from an XHR. Currently, the OIDC client will return JavaScript back to the browser (by default) or a 302 to the browser to redirect to the OP. Returning a 401 instead would give the customer some extra control over how to handle unauthenticated requests originating from JavaScript.
Proposal
New config attributes:
sendWWWAuthenticateHeaderForUnauthenticatedXMLHttpRequest
WWW-Authenticate
header should be included in 401 responses from the Liberty server to XHR requests.<webAppSecurity>
element.send401ForUnauthenticatedXMLHttpRequest
<openidConnectClient>
and<oidcLogin>
elements.