Return 401 for unauthenticated XHR requests in OIDC

[ayoho]

A customer has requested that we enhance the OpenID Connect client feature to allow returning 401 responses back for unauthenticated requests to protected resources that originated from an XHR. Currently, the OIDC client will return JavaScript back to the browser (by default) or a 302 to the browser to redirect to the OP. Returning a 401 instead would give the customer some extra control over how to handle unauthenticated requests originating from JavaScript.

Proposal

New config attributes:

• sendWWWAuthenticateHeaderForUnauthenticatedXMLHttpRequest
  • Descripton: Specifies whether the WWW-Authenticate header should be included in 401 responses from the Liberty server to XHR requests.
  • Added to the <webAppSecurity> element.
  • Type: Boolean
  • Default: true
• send401ForUnauthenticatedXMLHttpRequest
  • Descripton: Specifies whether the OIDC client should send a 401 response for unauthenticated XHR requests (that would normally be redirected to the OP for authentication).
  • Added to the <openidConnectClient> and <oidcLogin> elements.
  • Type: Boolean
  • Default: false

[NottyCode]

The property name is too long. I won't be able to attend the design issues call, but the guidance for config attributes is that the title should be less than 50 characters (which includes spaces), this attribute name is longer than that.

[ayoho]

Design call notes:

• Attribute names
  • Consider shortening "XMLHttpRequest" to "XHR"
  • Consider any possible shorter synonyms for "Unauthenticated"
• Follow up about Traditional WebSphere behavior
  • Check with @barbj about the specifics of Traditional behavior
  • Does the WWW-Authenticate header get included in 401s returned back from OIDC?
  • Update (2024-01-26): No, the WWW-Authenticate header is only set for "true errors" like an invalid token, an error returned from the OP, etc. That would mean not setting the WWW-Authenticate header in 401 responses to XHRs would be identical to tWAS behavior.
• Can we get this down to one attribute?
  • Look into specifics of how/when WWW-Authenticate header should/must be returned
• Consider updating send401ForUnauthenticatedXMLHttpRequest to something more generic
  • unauthenticatedXHRStatusCode? unauthenticatedXHRReturnCode?
  • Value could be an integer for which HTTP status code should be used

[ayoho]

See also https://github.com/OpenLiberty/open-liberty/issues/6772 and https://github.com/OpenLiberty/open-liberty/issues/10107.