From 5287ecf4d4589db9467fa2481fbb5a9ecc24155d Mon Sep 17 00:00:00 2001
From: jabdoa2 <jabdoa2@users.noreply.github.com>
Date: Wed, 29 Mar 2023 17:52:13 +0200
Subject: [PATCH] Allow token refresh for external auth

When using Icingaweb2 with external auth (such as OIDC) your token will eventually expire and the user has to relogin via the external provider. However, this does not work on ajax requests (as they cannot redirect the user). Most external auth plugins (such as mod_oidc) will return 401 instead of a redirect when they detect ajax requests. Icingaweb2 will show a 401 in a few places (example here: https://community.icinga.com/t/401-unauthorized-in-icingaweb2-with-external-auth/9563). With this change icingaweb2 will reload the window instead which in turn will trigger a redirect to the IDP. In most cases the user should get redirected back and should not even notice that his OIDC token got renewed.
---
 public/js/icinga/loader.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/public/js/icinga/loader.js b/public/js/icinga/loader.js
index 2ad05d29f..178995dcf 100644
--- a/public/js/icinga/loader.js
+++ b/public/js/icinga/loader.js
@@ -1015,7 +1015,12 @@
                 this.icinga.timer.unregister(req.progressTimer);
             }
 
-            if (req.status > 0 && req.status < 501) {
+            if (req.status == 401) {
+                this.icinga.logger.debug(
+                    'Request to ' + url + ' return 401. Will refresh page to trigger new login.'
+                );
+                window.refresh();
+            } else if (req.status > 0 && req.status < 501) {
                 this.icinga.logger.error(
                     req.status,
                     errorThrown + ':',