fix: include debug logging for init

closes: #33109

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java

@@ -17,6 +17,7 @@
 
 package org.keycloak.protocol.oidc.endpoints;
 
+import org.jboss.logging.Logger;
 import org.keycloak.common.util.UriUtils;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
@@ -39,6 +40,8 @@ import static org.keycloak.protocol.oidc.endpoints.IframeUtil.returnIframeFromRe
  */
 public class LoginStatusIframeEndpoint {
 
+    private static final Logger logger = Logger.getLogger(LoginStatusIframeEndpoint.class);
+
     private final KeycloakSession session;
 
     public LoginStatusIframeEndpoint(KeycloakSession session) {
@@ -60,12 +63,17 @@ public class LoginStatusIframeEndpoint {
             ClientModel client = session.clients().getClientByClientId(realm, clientId);
             if (client != null && client.isEnabled()) {
                 Set<String> validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(session, client);
-                validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri()));
+                String requestOrigin = UriUtils.getOrigin(uriInfo.getRequestUri());
+                validWebOrigins.add(requestOrigin);
                 if (validWebOrigins.contains("*") || validWebOrigins.contains(origin)) {
                     return Response.noContent().build();
                 }
+                logger.debugf("client %s does not allow origin=%s for requestOrigin=%s (as determined by hostname settings), init will return a 403", clientId, origin, requestOrigin);
+            } else {
+                logger.debugf("client %s does not exist or not enabled, init will return a 403", clientId);
             }
         } catch (Throwable t) {
+            logger.debug("Exception in init, will return a 403", t);
         }
         return Response.status(Response.Status.FORBIDDEN).build();
     }