|
46 | 46 | use OCP\AppFramework\Utility\ITimeFactory; |
47 | 47 | use OCP\Authentication\Exceptions\InvalidTokenException; |
48 | 48 | use OCP\Authentication\Token\IToken; |
49 | | -use OCP\DB\Exception; |
50 | 49 | use OCP\EventDispatcher\IEventDispatcher; |
51 | 50 | use OCP\IAppConfig; |
52 | 51 | use OCP\IConfig; |
@@ -846,13 +845,14 @@ public function singleLogoutService() { |
846 | 845 | * Endpoint called by the IdP (OP) when end_session_endpoint is called by another client |
847 | 846 | * The logout token contains the sid for which we know the sessionId |
848 | 847 | * which leads to the auth token that we can invalidate |
| 848 | + * In a RP-initiated logout scenario |
| 849 | + * the invalidation step should not be required since it would have been cleared |
| 850 | + * in singleLogoutService() |
849 | 851 | * Implemented according to https://openid.net/specs/openid-connect-backchannel-1_0.html |
850 | 852 | * |
851 | 853 | * @param string $providerIdentifier |
852 | 854 | * @param string $logout_token |
853 | 855 | * @return JSONResponse |
854 | | - * @throws Exception |
855 | | - * @throws \JsonException |
856 | 856 | */ |
857 | 857 | #[PublicPage] |
858 | 858 | #[NoCSRFRequired] |
@@ -929,39 +929,17 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok |
929 | 929 | $sub = $logoutTokenPayload->sub ?? null; |
930 | 930 | try { |
931 | 931 | $oidcSession = $this->sessionMapper->findSessionBySid($sid, $sub, $iss); |
| 932 | + $oidcSessionsToKill[] = $oidcSession; |
932 | 933 | } catch (DoesNotExistException $e) { |
933 | | - return $this->getBackchannelLogoutErrorResponse( |
934 | | - $sub === null ? 'invalid SID or ISS' : 'invalid SID, SUB or ISS', |
935 | | - $sub === null ? 'No session was found for this (sid,iss)' : 'No session was found for this (sid,sub,iss)', |
936 | | - ['session_not_found' => $sid] |
937 | | - ); |
938 | | - } catch (MultipleObjectsReturnedException $e) { |
939 | | - return $this->getBackchannelLogoutErrorResponse( |
940 | | - $sub === null ? 'invalid SID or ISS' : 'invalid SID, SUB or ISS', |
941 | | - $sub === null ? 'Multiple sessions were found with this (sid,iss)' : 'Multiple sessions were found with this (sid,sub,iss)', |
942 | | - ['multiple_sessions_found' => $sid] |
943 | | - ); |
| 934 | + $this->logger->debug("[BackchannelLogout] OIDC session not found (expected for a RP-initiated logout)"); |
944 | 935 | } |
945 | | - $oidcSessionsToKill[] = $oidcSession; |
946 | 936 | } else { |
947 | 937 | // here we know the sid is not set so the sub is set |
948 | 938 | $sub = $logoutTokenPayload->sub; |
949 | 939 | try { |
950 | 940 | $oidcSessionsToKill = $this->sessionMapper->findSessionsBySubAndIss($sub, $iss); |
951 | | - } catch (\OCP\Db\Exception $e) { |
952 | | - return $this->getBackchannelLogoutErrorResponse( |
953 | | - 'error with sub+iss', |
954 | | - 'Failed to retrieve session with sub+iss', |
955 | | - ['sub_iss_error' => true] |
956 | | - ); |
957 | | - } |
958 | | - |
959 | | - if (empty($oidcSessionsToKill)) { |
960 | | - return $this->getBackchannelLogoutErrorResponse( |
961 | | - 'nothing found with sub+iss', |
962 | | - 'No session found with sub+iss', |
963 | | - ['sub_iss_no_session_found' => true] |
964 | | - ); |
| 941 | + } catch (DoesNotExistException $e) { |
| 942 | + $this->logger->debug("[BackchannelLogout] OIDC session not found (expected for a RP-initiated logout)"); |
965 | 943 | } |
966 | 944 | } |
967 | 945 |
|
|
0 commit comments