Vaadin 24 and Spring Security with OAuth

I tried upgrading from Vaadin 23 → 24 but ran into an issue with login via OAuth (Auth0). It was working in Vaadin 23.3.0 (Spring Boot 2.7.5). The issue is that I don’t get authenticated (Access denied) and can not see the routes, except for for the HEALTH_URL which has permitAll().

Any idea of what can cause this?

Here’s the SecurityConfiguration:

public class SecurityConfiguration extends VaadinWebSecurity {

  private static final String LOGIN_URL = "/oauth2/authorization/auth0";
  private static final String LOGOUT_URL = "/logout";
  private static final String HEALTH_URL = "/actuator/health";

  private LogoutHandler logoutHandler;

  public SecurityConfiguration(LogoutHandler logoutHandler) {
    this.logoutHandler = logoutHandler;

  protected void configure(HttpSecurity http) throws Exception {
        .logoutRequestMatcher(new AntPathRequestMatcher(LOGOUT_URL))

Vaadin 24 and Spring Security with OAuth

Sounds more like a Spring Boot / Security thing. Vaadin doesn’t interfere with oauth2 in any way. You probably have to enable spring security debug Logging to find the cause, I had similar Problems with SB 3 and had to change my yml

It was a mistake in migration from Java 11 → Java 17, the @PermitAll was still referring to the javax package, it must be from import;