Since MGNLSSO-98, we filter out most Vaadin requests to prevent them from starting an indirect login flow, going to the IdP. Instead, these requests are already assumed authenticated via session tracking (JSESSIONID & other protection measures such as csrf).

see AuthenticationServicePathMatcher & tests.

Current logic is to start the flow if:

• Sec-Fetch-Mode header is navigate (indicates a user-originated request, as opposed to loaded from script)
• otherwise if the header above is unset, exclude typical Vaadin requests (UIDL, HEARTBEAT, PUSH, etc.)

There is one case where this falls short: upload. Sec-Fetch-Mode is indeed navigate, so Vaadin request matching is not attempted, and /APP/UPLOAD would not be excluded anyway.