Align with backchannel logout OIDC spec

[Spitfireap]

Current behaviour

The response of BackChannel logout seems to be missing the Cache-Control header (spec).

The BC logout validation is also missing exp token validation (not expired) and iss validation (equals to issuer in discovery endpoint) per Backchannel logout token validation spec and ID Token validation spec

Changes

• Removed an unused variable from getBackchannelLogoutErrorResponse ($throttleMetadata)
• Increased the severity of the logging when a Backchannel logout fails
• Added the Cache-Control header in the backchannel logout response
• Added a verification for the exp and iss claim
• Check that all required tokens by the spec are there

[Spitfireap]

@julien-nc not entirely sure about the change for the error logging.
I think the severity should be increased since it might be a security issue. The thing is : could these be triggered by a random idp and in that case we should perhaps be cautious about using error or it requires the idp to be verified so error would be well suited ?

[julien-nc]

Nice, thanks. Let's get #1431 in first, then you can rebase and adjust this one.

[Spitfireap]

Added some more alignment with the spec (exp + 1 iss validation step).

Was wondering if we should verify that jti and iat claims are there as well (since they are required) or am I overdoing it ?

[julien-nc]

Hey. #1431 is merged. Sorry there seems to be a small conflict with your branch. You can rebase on main or just merge main in your branch to resolve the conflict.

Was wondering if we should verify that jti and iat claims are there as well...

Yeah sure, let's keep it simple: It's enough to check if those token attributes are defined.

[julien-nc]

$iss is not defined at this point.

[julien-nc]

Suggested change

	$this->logger->error('Backchannel logout error. ' . $error . ' ; ' . $description .
	'. This is likely an IdP issue.');
	$this->logger->error('Backchannel logout error. ' . $error . ' ; ' . $description .
	'. This is likely an IdP issue.', ['metadata' => $metadata]);

You could keep the metadata param (which can be renamed) and include it in the logs so the information is more precise than the $isLikelyIdpSide boolean. Wdyt?

[julien-nc]

Missing ;

[Spitfireap]

Hey. #1431 is merged. Sorry there seems to be a small conflict with your branch. You can rebase on main or just merge main in your branch to resolve the conflict.

Was wondering if we should verify that jti and iat claims are there as well...

Yeah sure, let's keep it simple: It's enough to check if those token attributes are defined.

Working on May the 1st are you :p ?
I'll push the rebase and some rework, then test it a bit on my instance. I'll ping you when it's ready.

[julien-nc]

Working on May the 1st are you :p ?

Checking your github notifications on May 1st? 😁

Yeah for a weird reason I'm working today. I can tell you on a private channel if you're curious.

I'll push the rebase and some rework, then test it a bit on my instance. I'll ping you when it's ready.

Nice! Thank you for the enthusiasm. No rush though, feel free to take the public holiday 😉

[Spitfireap]

@julien-nc should be ready.
Funny thing : LemonLDAP implementation of OP is actually not aligned with the spec (exp token missing).
So although my initial issue is fixed, I still get the error message after this PR. I don't think we should let it pass anyway though. Wdyt ?

[Spitfireap]

Note : this means that LemonLDAP's users won't be logged out anymore in case of OP initiated logout...
This might be a security issue so idk if we should add a way of bypassing it or add a warning of some sort in the README for instance

[julien-nc]

Suggested change

	string $severity = 'warning',
	string $severity = \Psr\Log\LogLevel::WARNING,

[julien-nc]

Suggested change

	severity: 'error',
	severity: \Psr\Log\LogLevel::ERROR,

[julien-nc]

Suggested change

	['extra_context' => 'Probably is an IdP side issue', 'aud' => $aud]
	['extra_context' => 'Probably is an IdP side issue', 'aud' => $aud, 'client_id' => $clientId]

[julien-nc]

Suggested change

	$iss = $logoutTokenPayload->iss;
	if ($iss !== $discovery['issuer']) {
	$iss = $logoutTokenPayload->iss;
	$discoveryIssuer = $discovery['issuer'] ?? '';
	if ($iss !== $discoveryIssuer) {

[julien-nc]

Suggested change

	'issuer' => $discovery['issuer']
	'issuer' => $discoveryIssuer,

[julien-nc]

Suggested change

	'current_time' => $this->timeFactory->getTime()
	'current_time' => $this->timeFactory->getTime(),

[julien-nc]

Suggested change

	. 'This should not happen. Please check that you have created your DB indexes'
	. 'This should not happen.'

Missing indexes don't change anything to this. It cannot make the request return multiple results.

[julien-nc]

I don't think we should let it pass anyway though. Wdyt ?

I think it's fine to let this pass if the token expiration is not defined. So:

• If the exp is defined, we validate it
• If it's not defined, we just ignore

Sounds good to you?

[Spitfireap]

I don't think we should let it pass anyway though. Wdyt ?

I think it's fine to let this pass if the token expiration is not defined. So:

* If the exp is defined, we validate it

* If it's not defined, we just ignore

Sounds good to you?

If you say so. Although it is a clear deviation from the spec I think since it is REQUIRED, and we ought to verify it as we would do in the code function...

For instance, had LemonLDAP not forget to make the exp claim required in its RP implementation, the OP would get the 400 error pretty much as current fix.

So do I make it optional ?

[julien-nc]

Let's get this in while it implements the RFC. We can discuss the missing exp later.

[julien-nc]

Thanks a lot for the adjustments.