Add custom headers to the Vaadin post requests

It is possible to add custom headers to all vaadin ui post requests?
and is there a way to access them and work with them in the java app?

You’d like to intercept the requests on the client side somehow and add headers there? I think somebody else wanted to do that recently as well. On the server side it is easy to check those in Java using a filter.

Can I ask what is your ultimate goal/use case?

Hi, in this case it would be to try and implement oidc in vaadin/quarkus, as for quarkus security to work with oidc every request needs to pass the JWT as a header and not a cookie. posting to the oidc server should be relatively easy with the loginform.Setaction(), one would need to capture the jwt and add it as a cookie, and parse the cookie with every request and send it as the auth header, and quarkus would check the header without doing much inside vaadin security, i think. i would need to test and see if this process actually works, and would be happy to contribute it!(i’m not a software engineer but it would leave a base for people with better skills to improve upon it)

Hello, Do you have any update on how to do this?

Hi! I think I could look into this this week. If I’d build an example, do you have a favourite for identity provider?

Here is an example how to hack custom headers to all XHR requests (these go also for non-vaadin originated, in case of a mashup, but you could add a logic to detect those somehow on the client side): GitHub - mstahv/vaadin-custom-request-headers: Example project how to customise XHR object in a Vaadin app

Still, regarding your original goal, is there some reason why cookie is not good for you?

Hi Matii, Sorry for the late response, i didn’t have the discord notifications on, i will look into this, i want to use keycloak with quarkus, but he only accepts the oidc auth through headers, not cookies. so i was looking into this when i started doind the security of my app. thanks for the example and your time, i will try to do in quarkus and will let you know how it goes

Hi! Check this as well, might be helpful:

I’ll prepare an article based on that example at some point as well to explain it bit further, but this one uses http only cookie ( set by quarkus oidc integration). I find this approach more of a “best practice” than manually passing in bearer token (possible XS vulnerabilities).

But I don’t know all the details/requirements in your environment…

A “perfect” solution with Vaadin woudn’t need to keep the tokens even in the cookie, as we have the state in Vaadin UI objects anyways. But this approach I took here, has the advantage that we delecate token verification and renewals to the Quarkus integration, instead of doing that by ourselves. Having cookies on the server would save some client-server communication on each request, but so would using push/websocket communication.

And speaking of websocket/push, didn’t yet test how that works with push at all. Might have some issues renewing the tokens :thinking:

Hi! I will check this out later today, i will make a fork of my project and see how it behaves, so far it seems like it shouldn’t be much of an issue to integrate this, i will let you know if i encounter any issues as the project also has some rest endpoints for communicating with other services

Hi Matti! i’ve been checking the demo you sent, so far it has been working good, but i’m having trouble getting rest endpoints to work properly, they are being intercepted by Vaadin, and haven’t been able to make them work, by adding the vaadin ignore routes properties, change the root of vaadin or changing the root of the rest endpoint in quarkus

So you have a single Quarkus app that has both the Vaadin UI and REST endpoints?

yes, the app i’m building needs to comunicate with other backend services.
but i had not added the rest-east reactive dependency, my bad

In my example I put the REST endpoint to a separate app…

yes, what i meant is, my app serves some rest endpoints for another service outside of java/vaadin, where this service adds some information to the vaadin app, i got it working. it was my mistake, i didn’t have the dependency installed in the pom.xml on the ui app for rest easy(not client) to work.