Skip to content

Commit a541e56

Browse files
SpitfireapSpitfireap
committed
Increase verbosity and criticity of failed BC-LO
Admins should be aware that a BCLO attempt failed since it might be a security issue. On the other side we shouldn't spam them if an unknown IdP is attempting a logout Signed-off-by: Spitap <dev@asdrip.fr>
1 parent 6215443 commit a541e56

1 file changed

Lines changed: 18 additions & 1 deletion

File tree

lib/Controller/LoginController.php

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -863,6 +863,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
863863
return $this->getBackchannelLogoutErrorResponse(
864864
'provider not found',
865865
'The provider was not found in Nextcloud',
866+
false
866867
);
867868
}
868869

@@ -881,6 +882,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
881882
return $this->getBackchannelLogoutErrorResponse(
882883
'invalid audience',
883884
'The audience of the logout token does not match the provider',
885+
true
884886
);
885887
}
886888

@@ -889,6 +891,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
889891
return $this->getBackchannelLogoutErrorResponse(
890892
'invalid event',
891893
'The backchannel-logout event was not found in the logout token',
894+
true
892895
);
893896
}
894897

@@ -897,13 +900,15 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
897900
return $this->getBackchannelLogoutErrorResponse(
898901
'invalid nonce',
899902
'The logout token should not contain a nonce attribute',
903+
true
900904
);
901905
}
902906

903907
if (!isset($logoutTokenPayload->iss)) {
904908
return $this->getBackchannelLogoutErrorResponse(
905909
'invalid iss',
906910
'The logout token should contain an iss attribute',
911+
true
907912
);
908913
}
909914
$iss = $logoutTokenPayload->iss;
@@ -912,6 +917,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
912917
return $this->getBackchannelLogoutErrorResponse(
913918
'invalid sid+sub',
914919
'The logout token should contain sid or sub or both',
920+
true
915921
);
916922
}
917923

@@ -973,8 +979,19 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
973979
private function getBackchannelLogoutErrorResponse(
974980
string $error,
975981
string $description,
982+
bool $isLikelyIdpSide,
976983
): JSONResponse {
977-
$this->logger->debug('Backchannel logout error. ' . $error . ' ; ' . $description);
984+
// Inform admins that the backchannel logout didn't work because of a misconfiguration
985+
if ($isLikelyIdpSide) {
986+
$this->logger->error('Backchannel logout error. ' . $error . ' ; ' . $description .
987+
'. This is likely an IdP issue.');
988+
} else {
989+
// If the provider is not found
990+
// it might be an unknown OIDC server trying to disconnect unlawfully
991+
$this->logger->warning('Backchannel logout error. ' . $error . ' ; ' . $description .
992+
'. This is likely a Nextcloud OIDC configuration issue.');
993+
}
994+
978995
return new JSONResponse(
979996
[
980997
'error' => $error,

0 commit comments

Comments
 (0)