Hi,
I’m running into an issue where my Vaadin application shows the following error message in the browser.
implementation enforcedPlatform(“io.quarkus.platform:quarkus-bom:3.25.4”)
implementation enforcedPlatform(“com.vaadin:vaadin-bom:24.8.7”)
implementation “io.quarkus:quarkus-oidc”
implementation “com.vaadin:vaadin-quarkus-extension:24.8.7”
Any hints or suggestions are very welcome.
Thanks in advance!
Most likely a Vaadin request from the client is intercepted by a security filter and returns an HTML login page instead of the expected JSON.
Thanks, that makes sense — it’s probably the OIDC security filter returning the HTML login page instead of JSON in some situations.
The app is running behind a reverse proxy with load balancing and session affinity enabled. Could that setup be causing or amplifying the problem?
What’s the best way in a Vaadin + Quarkus (OIDC) setup to handle this cleanly, so that Vaadin redirects to the login page instead of showing the “Invalid JSON response” error?
Also, are there specific configuration settings I should check or adjust — on the Quarkus side, in Vaadin, in the OIDC provider, or on the load balancer / reverse proxy — to make sure all requests are handled consistently?
Any tips or examples would be really helpful.
Hard to say.
The first thing that comes to mind looking at the screenshot is that the Vaadin index.html page has been served, but no RPC calls are blocked.
So there might be some security rules/paths configuration that do not cover all the necessary cases.
You can try to take a look at Vaadin configuration for Spring Security (the vaadin-spring module in the Flow repository) to get a picture of what could be needed.
Then it would also be helpful to understand who is doing the redirect. As you mentioned, there’s a reverse proxy in the middle that can be misconfigured (e.g., the app is configured to use WebSocket, but the reverse proxy is not handling the upgrade properly).
Potentially related discussion Register and enable View-based access control for Quarkus · Issue #142 · vaadin/quarkus · GitHub and an outdated prototype GitHub - mcollovati/flow-quarkus-security-example (not sure if it is still working)
It’s not for OIDC, but some concepts may hold (e.g. the custom HttpSecurityPolicy)
I think I have found a solution using the quarkus.oidc.authentication.java-script-auto-redirect property
(OpenID Connect authorization code flow mechanism for protecting web applications - Quarkus)
This, however, requires implementing a JavaScriptRequestChecker.
To do this, you need to be able to distinguish between requests made by the Vaadin JavaScript. Any ideas on how to test this?
This will prevent the “Invalid JSON” message from being displayed.
However, if an error occurs, the “Connection lost, trying to reconnect…” banner appears instead, and the Vaadin JavaScript code doesn’t handle the 499 code and loops.
POST …/?v-r=uidl&v-uiId=0 499 (Client Error (499)) / Server returned 499 for xhr