tell idp not to cache BC logout response

Spitfireap · Spitfireap · commit da506df0409f · 2026-04-28T20:25:22.000+02:00
diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
@@ -964,7 +964,12 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 			$this->sessionMapper->delete($oidcSession);
 		}
 
-		return new JSONResponse([], Http::STATUS_OK);
+		// Tell the Idp not to cache the response
+		// Per RFC : https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse
+		$response = new JSONResponse([], Http::STATUS_OK);
+		$response.cacheFor(0);
+
+		return $response;
 	}
 
 	/**
@@ -992,13 +997,17 @@ private function getBackchannelLogoutErrorResponse(
 			'. This is likely a Nextcloud OIDC configuration issue.');
 		}
 
-		return new JSONResponse(
+		$response = new JSONResponse(
 			[
 				'error' => $error,
 				'error_description' => $description,
 			],
 			Http::STATUS_BAD_REQUEST,
 		);
+		// Tell the Idp not to cache the response
+		// Per RFC : https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse
+		$response.cacheFor(0);
+		return $response;
 	}
 
 	private function toCodeChallenge(string $data): string {

Original file line number	Diff line number	Diff line change
`@@ -964,7 +964,12 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok`
`964`	`964`	`$this->sessionMapper->delete($oidcSession);`
`965`	`965`	`}`
`966`	`966`
`967`		`- return new JSONResponse([], Http::STATUS_OK);`
	`967`	`+ // Tell the Idp not to cache the response`
	`968`	`+ // Per RFC : https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse`
	`969`	`+ $response = new JSONResponse([], Http::STATUS_OK);`
	`970`	`+ $response.cacheFor(0);`
	`971`	`+`
	`972`	`+ return $response;`
`968`	`973`	`}`
`969`	`974`
`970`	`975`	`/**`
`@@ -992,13 +997,17 @@ private function getBackchannelLogoutErrorResponse(`
`992`	`997`	`'. This is likely a Nextcloud OIDC configuration issue.');`
`993`	`998`	`}`
`994`	`999`
`995`		`- return new JSONResponse(`
	`1000`	`+ $response = new JSONResponse(`
`996`	`1001`	`[`
`997`	`1002`	`'error' => $error,`
`998`	`1003`	`'error_description' => $description,`
`999`	`1004`	`],`
`1000`	`1005`	`Http::STATUS_BAD_REQUEST,`
`1001`	`1006`	`);`
	`1007`	`+ // Tell the Idp not to cache the response`
	`1008`	`+ // Per RFC : https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse`
	`1009`	`+ $response.cacheFor(0);`
	`1010`	`+ return $response;`
`1002`	`1011`	`}`
`1003`	`1012`
`1004`	`1013`	`private function toCodeChallenge(string $data): string {`