Spring Security OidcBackChannelLogoutWebFilter returns an error for unauthenticated ajax requests

Describe the bug Unauthenticated AJAX requests result in a 400 error from the OidcBackChannelLogoutWebFilter, instead of an error from a ErrorWebExceptionHandler.

To Reproduce

1. We have a Spring configuration where all our requests, except logout require authentication:

.authorizeExchange(exchanges -> exchanges
   .pathMatchers("/logout").permitAll()
   .anyExchange().authenticated()
)

1. If you make an unauthenticated request, it triggers an AccessDeniedException, which then goes to ExceptionTranslationWebFilter. When the filter sees that the exchange principal is not authenticated, it calls the registered ServerAuthenticationEntryPoint with a new AuthenticationCredentialsNotFoundException as an argument.

2. In our case we use a custom entry point that only handles basic HTML requests. In case of Ajax requests, we just re-throw the exception from the entry point, so that our generic ErrorWebExceptionHandler can take care of this and produce the expected response:

public Mono<Void> commence(final ServerWebExchange exchange, final AuthenticationException e) {
        return Mono.just(isHtmlRequest(exchange.getRequest()))
                .filter(isHtml -> isHtml)
                .flatMap(h -> requiresCsrfProtection(exchange))
                .filter(needsCsrf -> !needsCsrf.isMatch())
                .switchIfEmpty(Mono.error(e))
                ...
}

1. The OidcBackChannelLogoutWebFilter registers itself very early in the filter chain and this part: https://github.com/spring-projects/spring-security/blob/1423641c5692279191f864252c6c57bd62594a97/config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelLogoutWebFilter.java#L92-L97 catches the AuthenticationCredentialsNotFoundException and handles it and our exception handler is never reached.

2. It seems as if the https://github.com/spring-projects/spring-security/blob/1423641c5692279191f864252c6c57bd62594a97/config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelLogoutWebFilter.java#L90 is executed too early in that filter or the onErrorResume should be added within the first flatMap. The onErrorResume should not be applied to the result of the chain.filter(exchange) call.

Expected behavior

The unauthenticated request should be handled by a ErrorWebExceptionHandler, instead of the OidcBackChannelLogoutWebFilter

Comment From: AndreasKasparek

Just to clarify this: the OidcBackChannelLogoutWebFilter currently handles all AuthenticationException (except AuthenticationServiceExceptions) raised by anyone down the filter chain (that bubble up to it), not just for requests to the OIDC logout endpoint. That seems to be wrong.