We’ve been using the JWT auth approach discussed in this blog post written by @Matti . We’ve run into an issue in upgrading to any Vaadin version 24.3.9 and higher.
In the old versions, our JWT tokens function normally. A token sticks to a user’s session until the token expires or the session is terminated. In the newer version, if a user refreshes a secured view, or navigates to a different secured view, the JWT token is replaced.
This has the effect of generating an unmanageable number of tokens, and also means the expiration of the token is effectively ignored since new ones are continuously being generated.
We’re able to replicate this behavior on the HelloWorld project found in this git repo attached to the blog.
Was there an important change in Vaadin that we need to refactor around, or, user error on our part? In the 24.3.9 release notes, I see there was a change in handling internal framework requests. Could that be the cause?
I did a little more detective work on this… found that the issue starts happening in Vaadin versions 24.3.9+ and does not occur in 24.3.8 and prior. Using Spring Security 3.2.2.
Updated the original question to reflect the issue may depend more on the Vaadin version than Spring Security.
@knoobie , do you mean the latest version of Vaadin or Spring Security?
Ah interesting, that is definitely the relevant change. Thanks for finding that!
I wish it weren’t buried so deep. I have a follow-up question on revocation but will start a new topic for that.
Just for the record: the mentioned change was present in the release notes of Flow 24.3.8, that is the version shipped with Vaadin 24.3.9.
Vaadin platform and Flow version might not always be the same, so it is worth it to check platform release notes to find the related Flow version (there’s a link to Flow release notes).
@marcoc_753 Yeah, the issue in our case was we followed the guidance in this JWT blog and the accompanying example project. The sample project uses 24.0.0 and we were working with a project in 24.5.7, which meant we weren’t reading the release notes of every minor version.
I realize that keeping every sample project and blog up-to-date is probably impossible, and I wasn’t trying to criticize the quality of the release notes. But you can see from our perspective, tracking down the behaviorial change somewhere between 24.0.0 and 24.5.7 wasn’t easy.
I see. I apologize if my comment seemed rude.
My intent was only to highlight that Vaadin platform and Flow version can have different patch numbers and offer the simplest way to find out the correct release notes.
