Spring Security 403 on all requests with Keycloak and SecurityFilterChain

Describe the bug Spring security always gives 403 when SecurytyFilterChain is used with Keycloak authorization server. Without SecurytyFilterChain authorization works totally fine, requires only adding two lines to spring config:

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/realms/myrealm
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:8080/realms/myrealm/protocol/openid-connect/certs

Adding simple SecurityChain even basic one from https://spring.io guides (see code below) always gives 403 on any request (get/post) - no matter if token is correct or not, no matter path.

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
  http.cors().and()
    .authorizeHttpRequests((requests) -> requests
    .requestMatchers("/").permitAll()
    .anyRequest().authenticated());
  return http.build();
}

To Reproduce 1. Setup Keycloack; 2. Setup Spring to use Keycloack by adding in application.properties:

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/realms/myrealm
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:8080/realms/myrealm/protocol/openid-connect/certs

Make sure authorization works fine.
Add WebSecurityConfig with the following SecurityFilterChain:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
  http.cors().and()
    .authorizeHttpRequests((requests) -> requests
    .requestMatchers("/").permitAll()
    .anyRequest().authenticated());
  return http.build();
}

Expected behavior Not getting 403 error on all paths/requests.

Comment From: marcusdacoregio

Hi @mira13, you can add logging.level.org.springframework.security=TRACE to your application.properties and investigate the problem.

I feel that this question is better suited to Stackoverflow since there is no clear bug or feature request. I'll close this for now but feel free to continue the discussion