Skip to content

Fix backchannel logout for Telekom and keep backward compatibility #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tsdicloud wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix backchannel logout for Telekom and keep backward compatibility #10

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7d74e13
Fix the backchannel logout flow for Telekom
tsdicloud Sep 27, 2023
5ed4772
Clean code
tsdicloud Sep 27, 2023
b2016b9
Add backward compatible endpoint for silent switchover
tsdicloud Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 31 additions & 11 deletions lib/Controller/LoginController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -509,7 +509,7 @@ public function code(string $state = '', string $code = '', string $scope = '',
try {
$authToken = $this->authTokenProvider->getToken($this->session->getId());
$this->sessionMapper->createSession(
$idTokenPayload->sid ?? 'fallback-sid',
$idTokenPayload->{'urn:telekom.com:session_token'} ?? 'fallback-sid',
$idTokenPayload->sub ?? 'fallback-sub',
$idTokenPayload->iss ?? 'fallback-iss',
$authToken->getId(),
Expand Down Expand Up @@ -577,8 +577,11 @@ public function singleLogoutService() {
}
}

// cleanup related oidc session
$this->sessionMapper->deleteFromNcSessionId($this->session->getId());
// it is not a good idea to remove the session early as some IDM send
// a backchannel logout also to the initiating system. This will falsely fail
// if already deleted. So rely always on backchannel cleanup
// or make this an option?
//$this->sessionMapper->deleteFromNcSessionId($this->session->getId());

$this->userSession->logout();

Expand Down Expand Up @@ -666,8 +669,8 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
);
}

$sub = $logoutTokenPayload->sub;
if ($oidcSession->getSub() !== $sub) {
// handle sub only if it is available; session is enough to identify a logout, though
if (isset($logoutTokenPayload->sub) && ($oidcSession->getSub() !== $logoutTokenPayload->sub)) {
return $this->getBackchannelLogoutErrorResponse(
'invalid SUB',
'The sub does not match the one from the login ID token',
Expand All @@ -692,17 +695,18 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
$userId = $authToken->getUID();
$this->authTokenProvider->invalidateTokenById($userId, $authToken->getId());
} catch (InvalidTokenException $e) {
return $this->getBackchannelLogoutErrorResponse(
'nc session not found',
'The authentication session was not found in Nextcloud',
['nc_auth_session_not_found' => $authTokenId]
);
//it is not a problem if the auth token is already deleted, so no error
//return $this->getBackchannelLogoutErrorResponse(
// 'nc session not found',
// 'The authentication session was not found in Nextcloud',
// ['nc_auth_session_not_found' => $authTokenId]
//);
}

// cleanup
$this->sessionMapper->delete($oidcSession);

return new JSONResponse([], Http::STATUS_OK);
return new JSONResponse();
}

/**
Expand Down Expand Up @@ -730,4 +734,20 @@ private function getBackchannelLogoutErrorResponse(string $error, string $descri
}
return $response;
}

/**
* Backward compatible function for MagentaCLOUD to smoothly transition to new config
*
* @PublicPage
* @NoCSRFRequired
* @BruteForceProtection(action=userOidcBackchannelLogout)
*
* @param string $logout_token
* @return JSONResponse
* @throws Exception
* @throws \JsonException
*/
public function telekomBackChannelLogout(string $logout_token = '') {
return $this->backChannelLogout('Telekom', $logout_token);
}
}