Vaadin heartbeat - CORS redirect OIDC issue

We currently have an issue with Vaadin heartbeat function: it seems that he does not works properly.

As far as we know, Vaadin heartbeat function is working like this:

  • Vaadin sends a ping to the backend every 5 minutes when the app is idle (not being worked on and no mouse move or keyboard action)
    • this ping has the session cookies on it.
      • when this hits the backend service it validates the authentication token
        • if its not expired yet, no issues it goes through
        • if token is expired (validity is 1h in our setup) it tries to redirect to OIDC (Connection Lost triggered here)
          • → this gets blocked on the vaadin frontend app due to security default configs
          • → adds a temporary cookie
          • → retries the operation
            • as it retries more cookies get added until reaching the size limit and triggering 431 HTTP response.

Issue description:

It looks like an issue with the JavaScript initiated heartbeat that occurs every 5 min, it seems that it doesn’t have the CORS headers setup properly, if it were from any other Quarkus app, we expect it to work fine (example redirect during login)

At the moment, we only increased the token session to 8 hours in order to avoid this issue.

It will be great is there any solution to solve that issue which is a blocking point for us at the moment.

Our setup:

Java JDK 21
Quarkus 3.11.1
Vaadin 24.3.10

Some screens regarding Vaadin heartbeat issue:

HTTP status code is a temporary redirect. Do you have a reverse proxy or firewall in front of the Vaadin application?

To me this sound like that the redirect of XHR is not the right thing to do anyway, but it should instead reload the page itself (resulting into page load redirected to OIDC).