OIDC BackChannelLogoutHandler can throw NPE if no tenant configuration matching the back channel logout request has been found. BackChannelLogoutHandler checks if the tenant context is null and logs a message but currently forgets end the request, leading to a later NPE where this context is accessed.
OIDC back channel logout spec requires 400 be returned if the logout request is invalid or has failed for whatever reasons, so 400 is returned in this case, https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse