Spring Security Consider adding more logs to Back-Channel Logout

Expected Behavior I'd like to know what exactly went wrong when a Back-Channel Logout fails

Current Behavior When I logout from the URI defined as end_session_endpoint in OpenID configuration, a request is sent from Keycloak to the Spring OAuth2 client configured with

    http
        .authorizeExchange((authorize) -> authorize
            .pathMatchers("/logout/connect/back-channel/keycloak").permitAll()
            .anyExchange().authenticated()
        )
        .oauth2Login(withDefaults())
        .oidcLogout((logout) -> logout
            .backChannel(Customizer.withDefaults())
        );

but logout fails and all the logs I have with logging.level.org.springframework.security=TRACE are:

HttpWebHandlerAdapter   : [ccc653d9-21] HTTP POST "/logout/connect/back-channel/keycloak", headers={masked}
HttpWebHandlerAdapter   : [ccc653d9-21] Completed 403 FORBIDDEN, headers={masked}
HttpWebHandlerAdapter   : [ccc653d9-1, L:/127.0.0.1:7081 - R:/127.0.0.1:63309] Handling completed

which is hardly enough to figure out what went wrong

Additional Context When I use the conf in the doc (without .pathMatchers("/logout/connect/back-channel/keycloak").permitAll()), I get:

DelegatingReactiveAuthorizationManager: Checking authorization on '/logout/connect/back-channel/baeldung' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@1e99324e
AuthorizationWebFilter      : Authorization failed: Access Denied
HttpWebHandlerAdapter   : [723286b4-9] Completed 401 UNAUTHORIZED, headers={masked}
HttpLogging     : [723286b4-1, L:/127.0.0.1:7081 - R:/127.0.0.1:50926] Handling completed

I have two SecurityWebFilterChain beans: one with oauth2Login and security matchers (tried to include and exclude /logout/connect/back-channel/keycloak from it) and another one with lower precedence and oauth2ResourceServer

Comment From: jzheaux

Thanks for reaching out, @ch4mpy. Let's take a look.

First, though, I'm not understanding something. Since you have TRACE on, I'm surprised that there aren't logs indicating whether the filter is invoked at all, or at what point in the filter chain denies the request. Are the FilterChainProxy logs missing or, if not, could you include them to help me see where the request is getting stopped?

Further, just double-checking, I see this as part of one of your snippets:

DelegatingReactiveAuthorizationManager: Checking authorization on '/logout/connect/back-channel/baeldung

which is a different endpoint. Can you double-check the description to ensure that the logs and configuration match?

Comment From: ch4mpy

@jzheaux, I had a ridiculous typo when copying the conf: http.oidcLogout(Customizer.withDefaults()) instead of http.oidcLogout((logout) -> logout.backChannel(Customizer.withDefaults())).

Stupid me and sorry for the time you might have wasted with this ticket.

However, trying to reproduce what I reported above, I got the Found and removed 1 session(s) from mapping of 1 session(s) log I was expecting, but when I refresh the tab where the user had an authorized client on the Spring client, the request is still authorized. Closing this ticket for a new one with the new error.