Back-channel logout failed: Unable to perform requested lazy initialization [org.booklore.model.entity.BookLoreUserEntity.username] - no session and settings disallow loading outside the Session

[albertmichaelj]

What went wrong?

I have set up OIDC (using Authentik) as an identity provider for Grimmory. I was trying to get single logout working, but it appears that there is some issue with grimmory that prevents the correct processing of the logout request. The specific error that I am receiving in the logs is:

2026-06-01T09:49:53.923-04:00  WARN 1 --- [booklore-api] [cat-handler-611] o.b.controller.OidcAuthController        : Back-channel logout failed: Unable to perform requested lazy initialization [org.
booklore.model.entity.BookLoreUserEntity.username] - no session and settings disallow loading outside the Session

Note that the above indicates that Authentik is correctly calling the back-channel logout endpoint, but their is a failure with Grimmory processing the request.

I got ChatGPT to look at the error and it suggested some fixes. I am copying and pasting the response below, but I am not qualified to determine if it is correct, so please feel free to ignore the below information if it is not helpful.

Back-channel logout fails with Hibernate lazy initialization error

Summary

I am using Grimmory with Authentik OIDC. Normal OIDC login works, and Authentik is successfully reaching Grimmory’s back-channel logout endpoint. However, back-channel logout fails inside Grimmory with a Hibernate lazy initialization error.

Error

Back-channel logout failed: Unable to perform requested lazy initialization [org.booklore.model.entity.BookLoreUserEntity.username] - no session and settings disallow loading outside the Session

Expected behavior

When Authentik sends a valid OIDC back-channel logout request, Grimmory should revoke the associated OIDC/local session and log the user out of Grimmory.

Actual behavior

The back-channel logout request reaches Grimmory, but Grimmory fails while processing it. The local Grimmory session remains active.

Likely cause

This looks like a lazy-loading issue in the back-channel logout path.

From the current code structure, OidcSessionEntity.user appears to be lazy-loaded, and BackchannelLogoutService accesses fields such as:

session.getUser().getUsername()

during logout processing. If the persistence session is already closed, this throws a Hibernate LazyInitializationException.

Suggested direction for fix

The back-channel logout handling should probably be adjusted so that the user entity is available while the persistence context is active. Possible fixes:

1. Mark the back-channel logout service method as transactional, e.g.:

@transactional
public void handleLogoutToken(String logoutToken) {
...
}

2. Fetch the associated user eagerly for the logout-specific repository queries, for example with an @EntityGraph(attributePaths = "user") on the relevant OidcSessionRepository methods.
3. Consider using repository methods that operate by userId instead of passing around a potentially detached/lazy BookLoreUserEntity, especially when revoking refresh tokens.
4. For the sid lookup, consider matching both sid and issuer, not just sid, since OIDC session identifiers are scoped to the issuer.
5. Consider only marking the logout token jti as processed after logout processing succeeds, or removing it from the replay cache if processing fails. Otherwise, a failed first attempt may cause a legitimate retry to be rejected as a replay while the Grimmory session remains active.

Notes

This does not appear to be an Authentik networking/configuration issue, because Grimmory logs show that the back-channel logout request is being received and processed by Grimmory before failing internally.

How can we reproduce it?

1. Set up Grimmory with an OIDC provider configured with back-channel logout.
2. Login with an OIDC user.
3. Initiate back channel logout from the identity provider.
4. Observe that the user is still logged into Grimmory, and see a message in the logs.

What Build of Grimmory are you on?

Stable

Your setup

• Grimmory version: v3.1.0
• How I am running it: Docker compose
• Operating system/browser: Ubuntu, Safari/Chrome

Screenshots or error messages (optional)

No response

Before submitting

• I've searched existing discussions and this hasn't been reported yet
• I've reviewed this report and have completed it as fully as I can