Merge pull request #1049 from prigaux/main

fix: backchannel logout token may not contain "sub"

Author: julien-nc

lib/Controller/LoginController.php

@@ -724,13 +724,15 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 			);
 		}
 
-		$sub = $logoutTokenPayload->sub;
-		if ($oidcSession->getSub() !== $sub) {
-			return $this->getBackchannelLogoutErrorResponse(
-				'invalid SUB',
-				'The sub does not match the one from the login ID token',
-				['invalid_sub' => $sub]
-			);
+		if (isset($logoutTokenPayload->sub)) {
+			$sub = $logoutTokenPayload->sub;
+			if ($oidcSession->getSub() !== $sub) {
+				return $this->getBackchannelLogoutErrorResponse(
+					'invalid SUB',
+					'The sub does not match the one from the login ID token',
+					['invalid_sub' => $sub]
+				);
+			}
 		}
 		$iss = $logoutTokenPayload->iss;
 		if ($oidcSession->getIss() !== $iss) {