Merge #10 Fix backchannel logout for Telekom and keep backward compatibility

tsdicloud · tsdicloud · commit ad5256a4f9dc · 2023-10-26T11:55:38.000Z
diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
@@ -509,7 +509,7 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		try {
 			$authToken = $this->authTokenProvider->getToken($this->session->getId());
 			$this->sessionMapper->createSession(
-				$idTokenPayload->sid ?? 'fallback-sid',
+				$idTokenPayload->{'urn:telekom.com:session_token'} ?? 'fallback-sid',
 				$idTokenPayload->sub ?? 'fallback-sub',
 				$idTokenPayload->iss ?? 'fallback-iss',
 				$authToken->getId(),
@@ -577,8 +577,11 @@ public function singleLogoutService() {
 			}
 		}
 
-		// cleanup related oidc session
-		$this->sessionMapper->deleteFromNcSessionId($this->session->getId());
+		// it is not a good idea to remove the session early as some IDM send
+		// a backchannel logout also to the initiating system. This will falsely fail
+		// if already deleted. So  rely always on backchannel cleanup
+		// or make this an option?
+		//$this->sessionMapper->deleteFromNcSessionId($this->session->getId());
 
 		$this->userSession->logout();
 
@@ -666,8 +669,8 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 			);
 		}
 
-		$sub = $logoutTokenPayload->sub;
-		if ($oidcSession->getSub() !== $sub) {
+		// handle sub only if it is available; session is enough to identify a logout, though
+		if (isset($logoutTokenPayload->sub) && ($oidcSession->getSub() !== $logoutTokenPayload->sub)) {
 			return $this->getBackchannelLogoutErrorResponse(
 				'invalid SUB',
 				'The sub does not match the one from the login ID token',
@@ -692,17 +695,18 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 			$userId = $authToken->getUID();
 			$this->authTokenProvider->invalidateTokenById($userId, $authToken->getId());
 		} catch (InvalidTokenException $e) {
-			return $this->getBackchannelLogoutErrorResponse(
-				'nc session not found',
-				'The authentication session was not found in Nextcloud',
-				['nc_auth_session_not_found' => $authTokenId]
-			);
+			//it is not a problem if the auth token is already deleted, so no error
+			//return $this->getBackchannelLogoutErrorResponse(
+			//	'nc session not found',
+			//	'The authentication session was not found in Nextcloud',
+			//	['nc_auth_session_not_found' => $authTokenId]
+			//);
 		}
 
 		// cleanup
 		$this->sessionMapper->delete($oidcSession);
 
-		return new JSONResponse([], Http::STATUS_OK);
+		return new JSONResponse();
 	}
 
 	/**
@@ -730,4 +734,20 @@ private function getBackchannelLogoutErrorResponse(string $error, string $descri
 		}
 		return $response;
 	}
+
+	/**
+	 * Backward compatible function for MagentaCLOUD to smoothly transition to new config
+	 *
+	 * @PublicPage
+	 * @NoCSRFRequired
+	 * @BruteForceProtection(action=userOidcBackchannelLogout)
+	 *
+	 * @param string $logout_token
+	 * @return JSONResponse
+	 * @throws Exception
+	 * @throws \JsonException
+	 */
+	public function telekomBackChannelLogout(string $logout_token = '') {
+		return $this->backChannelLogout('Telekom', $logout_token);
+	}
 }
