From 493252befdb2c9bdd590a819fcde21ca1ff91f1b Mon Sep 17 00:00:00 2001
From: Steve Hawkins <shawkins@redhat.com>
Date: Thu, 19 Sep 2024 13:16:13 -0400
Subject: [PATCH] fix: include debug logging for init

closes: #33109

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---
 .../oidc/endpoints/LoginStatusIframeEndpoint.java      | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
index 1f4c31d17e..705c958159 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
@@ -17,6 +17,7 @@
 
 package org.keycloak.protocol.oidc.endpoints;
 
+import org.jboss.logging.Logger;
 import org.keycloak.common.util.UriUtils;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
@@ -39,6 +40,8 @@ import static org.keycloak.protocol.oidc.endpoints.IframeUtil.returnIframeFromRe
  */
 public class LoginStatusIframeEndpoint {
 
+    private static final Logger logger = Logger.getLogger(LoginStatusIframeEndpoint.class);
+
     private final KeycloakSession session;
 
     public LoginStatusIframeEndpoint(KeycloakSession session) {
@@ -60,12 +63,17 @@ public class LoginStatusIframeEndpoint {
             ClientModel client = session.clients().getClientByClientId(realm, clientId);
             if (client != null && client.isEnabled()) {
                 Set<String> validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(session, client);
-                validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri()));
+                String requestOrigin = UriUtils.getOrigin(uriInfo.getRequestUri());
+                validWebOrigins.add(requestOrigin);
                 if (validWebOrigins.contains("*") || validWebOrigins.contains(origin)) {
                     return Response.noContent().build();
                 }
+                logger.debugf("client %s does not allow origin=%s for requestOrigin=%s (as determined by hostname settings), init will return a 403", clientId, origin, requestOrigin);
+            } else {
+                logger.debugf("client %s does not exist or not enabled, init will return a 403", clientId);
             }
         } catch (Throwable t) {
+            logger.debug("Exception in init, will return a 403", t);
         }
         return Response.status(Response.Status.FORBIDDEN).build();
     }