API Pre-Authentication

Some time ago I was dealing with legacy web applications being retrofitted with modern authentication. As you can imagine this opens up a world of pain when the developers of said applications have long since left. In this particular case we had an application migrating to a new API which was secured behind a non-f5 reverse proxy. The difficulty was API authentication.

First the user would SSO to access the application but this was only for web application access. The API used by the application was hosted in a secure environment behind the proxy and there is no support by the standards for any authentication flows under the hood. I refer to fetch() and XHTMLRequest() calls by the application.

Key: Redirect = >

Issue Flow
User requests web application >
   Federated auth >
Web application loads in user browser context and starts making API calls which fail.

I did not have LTM handy to whip up some awesome solution to resolve this which would have been ideal case so had to figure out how to solve this another way. 

The Non-F5 Solution
All authentication requests have to occur at the user level so the only way in this scenario, was to redirect them. They were redirected to a dedicated endpoint on the proxy which automatically triggered an auth redirect for federated authentication. This would see the user has already logged in and issue the relevant proxy credentials (as a cookie) to the client who would then return to the proxy with these credentials. The only issue with this flow is everything about the original redirect from the client is lost during the authentication process. The only thing that remains is the original URL the user requested. 

Prototype Solution
User requests web application > 
   Federated auth >
Web application Loads - API Access? No > 
   Proxy >
        Federated auth >
   Proxy > ?

Javascript handling
Developers add javascript calls to API endpoint and if the return code is XXX redirects the user to proxy with parameter ?return=current url

Final Solution
User requests web application > 
   Federated auth >
Web application loads - API Access? No > 
   Proxy with return URL > (No Authentication)
       Federated auth > (Adds Proxy Authentication Cookie into Users Browser)
   Proxy with return URL > (Redirect user to return URL)
Web application loads -  API Access (Using Proxy Authentication Cookie) ? Yes, proceed as normal.

Since that time there may have been new standards that make this challenge simpler to navigate. Are you aware of any? Moreover which of the various F5 offerings would have been able to assist us with this issue?