docs: best practices for frontend heavy services

[modality]

Many web applications eschew page refreshing and rely heavily on AJAX requests. This behavior circumvents SSO's ability to perform the proxy -> auth -> proxy redirect loop and it's easy for a frontend client to end up in a state where it thinks that its upstream is failing, but in reality the SSO proxy is trying to get it to reauthenticate.

It would be useful to have documentation outlining the "best case" relationship for SSO proxy and services which use AJAX. This would include:

• How a frontend should pass X-Requested-With: XMLHttpRequest to get the proxy to respond with JSON. Does the browser do this automatically? Either way we should make it clear that it is the way the proxy knows to respond with JSON.
• What happens when the proxy wants to go through the redirect flow, but can't because the request is an XHR? (Answer: 401)
• What (if any) unique strategies should a frontend client employ to correctly navigate every step in the big diagram? Can/should it prompt the user to open a new tab? Does it need to save state and perform a hard refresh? Which steps happen behind the scenes?