Merge pull request #1184 from nextcloud/fix/1183/fix-backchannel-sid-sub-logic

julien-nc · web-flow · commit ba553959872d · 2025-08-25T14:03:26.000+02:00
Fix backchannel logout when no SID is set in the logout token
diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
@@ -780,61 +780,83 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 			);
 		}
 
-		// get the auth token ID associated with the logout token's sid attr
-		$sid = $logoutTokenPayload->sid;
-		try {
-			$oidcSession = $this->sessionMapper->findSessionBySid($sid);
-		} catch (DoesNotExistException $e) {
+		if (!isset($logoutTokenPayload->iss)) {
 			return $this->getBackchannelLogoutErrorResponse(
-				'invalid SID',
-				'The sid of the logout token was not found',
-				['session_sid_not_found' => $sid]
+				'invalid iss',
+				'The logout token should contain an iss attribute',
+				['iss_should_be_set' => true]
 			);
-		} catch (MultipleObjectsReturnedException $e) {
+		}
+		$iss = $logoutTokenPayload->iss;
+
+		if (!isset($logoutTokenPayload->sid) && !isset($logoutTokenPayload->sub)) {
 			return $this->getBackchannelLogoutErrorResponse(
-				'invalid SID',
-				'The sid of the logout token was found multiple times',
-				['multiple_logout_tokens_found' => $sid]
+				'invalid sid+sub',
+				'The logout token should contain sid or sub or both',
+				['no_sid_no_sub' => true]
 			);
 		}
 
-		if (isset($logoutTokenPayload->sub)) {
+		$oidcSessionsToKill = [];
+
+		// if SID is set, we look for this specific session (with or without using the sub, depending on if the sub is set)
+		if (isset($logoutTokenPayload->sid)) {
+			$sid = $logoutTokenPayload->sid;
+			$sub = $logoutTokenPayload->sub ?? null;
+			try {
+				$oidcSession = $this->sessionMapper->findSessionBySid($sid, $sub, $iss);
+			} catch (DoesNotExistException $e) {
+				return $this->getBackchannelLogoutErrorResponse(
+					$sub === null ? 'invalid SID or ISS' : 'invalid SID, SUB or ISS',
+					$sub === null ? 'No session was found for this (sid,iss)' : 'No session was found for this (sid,sub,iss)',
+					['session_not_found' => $sid]
+				);
+			} catch (MultipleObjectsReturnedException $e) {
+				return $this->getBackchannelLogoutErrorResponse(
+					$sub === null ? 'invalid SID or ISS' : 'invalid SID, SUB or ISS',
+					$sub === null ? 'Multiple sessions were found with this (sid,iss)' : 'Multiple sessions were found with this (sid,sub,iss)',
+					['multiple_sessions_found' => $sid]
+				);
+			}
+			$oidcSessionsToKill[] = $oidcSession;
+		} else {
+			// here we know the sid is not set so the sub is set
 			$sub = $logoutTokenPayload->sub;
-			if ($oidcSession->getSub() !== $sub) {
+			try {
+				$oidcSessionsToKill = $this->sessionMapper->findSessionsBySubAndIss($sub, $iss);
+			} catch (\OCP\Db\Exception $e) {
 				return $this->getBackchannelLogoutErrorResponse(
-					'invalid SUB',
-					'The sub does not match the one from the login ID token',
-					['invalid_sub' => $sub]
+					'error with sub+iss',
+					'Failed to retrieve session with sub+iss',
+					['sub_iss_error' => true]
 				);
 			}
-		}
-		$iss = $logoutTokenPayload->iss;
-		if ($oidcSession->getIss() !== $iss) {
-			return $this->getBackchannelLogoutErrorResponse(
-				'invalid ISS',
-				'The iss does not match the one from the login ID token',
-				['invalid_iss' => $iss]
-			);
-		}
 
-		// i don't know why but the cast is necessary
-		$authTokenId = (int)$oidcSession->getAuthtokenId();
-		try {
-			$authToken = $this->authTokenProvider->getTokenById($authTokenId);
-			// we could also get the auth token by nc session ID
-			// $authToken = $this->authTokenProvider->getToken($oidcSession->getNcSessionId());
-			$userId = $authToken->getUID();
-			$this->authTokenProvider->invalidateTokenById($userId, $authToken->getId());
-		} catch (InvalidTokenException $e) {
-			return $this->getBackchannelLogoutErrorResponse(
-				'nc session not found',
-				'The authentication session was not found in Nextcloud',
-				['nc_auth_session_not_found' => $authTokenId]
-			);
+			if (empty($oidcSessionsToKill)) {
+				return $this->getBackchannelLogoutErrorResponse(
+					'nothing found with sub+iss',
+					'No session found with sub+iss',
+					['sub_iss_no_session_found' => true]
+				);
+			}
 		}
 
-		// cleanup
-		$this->sessionMapper->delete($oidcSession);
+		foreach ($oidcSessionsToKill as $oidcSession) {
+			// i don't know why but the cast is necessary
+			$authTokenId = (int)$oidcSession->getAuthtokenId();
+			try {
+				$authToken = $this->authTokenProvider->getTokenById($authTokenId);
+				// we could also get the auth token by nc session ID
+				// $authToken = $this->authTokenProvider->getToken($oidcSession->getNcSessionId());
+				$userId = $authToken->getUID();
+				$this->authTokenProvider->invalidateTokenById($userId, $authToken->getId());
+			} catch (InvalidTokenException $e) {
+				$this->logger->warning('[BackchannelLogout] Nextcloud session not found', ['authtoken_id' => $authTokenId]);
+			}
+
+			// cleanup
+			$this->sessionMapper->delete($oidcSession);
+		}
 
 		return new JSONResponse([], Http::STATUS_OK);
 	}
diff --git a/lib/Db/SessionMapper.php b/lib/Db/SessionMapper.php
@@ -12,6 +12,7 @@
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\MultipleObjectsReturnedException;
 use OCP\AppFramework\Db\QBMapper;
+use OCP\DB\Exception;
 use OCP\DB\QueryBuilder\IQueryBuilder;
 
 use OCP\IDBConnection;
@@ -43,21 +44,57 @@ public function getSession(int $id): Session {
 	}
 
 	/**
-	 * Find session by sid (from the OIDC id token)
+	 * Find sessions by sub and iss
+	 *
+	 * @param string $sub
+	 * @param string $iss
+	 * @return Session[]
+	 * @throws Exception
+	 */
+	public function findSessionsBySubAndIss(string $sub, string $iss): array {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('*')
+			->from($this->getTableName())
+			->where(
+				$qb->expr()->eq('sub', $qb->createNamedParameter($sub, IQueryBuilder::PARAM_STR))
+			)
+			->andWhere(
+				$qb->expr()->eq('iss', $qb->createNamedParameter($iss, IQueryBuilder::PARAM_STR))
+			);
+
+		return $this->findEntities($qb);
+	}
+
+	/**
+	 * Find session by sid and optionally sub and iss
 	 *
 	 * @param string $sid
+	 * @param string|null $sub
+	 * @param string|null $iss
 	 * @return Session
-	 * @throws \OCP\AppFramework\Db\DoesNotExistException
-	 * @throws \OCP\AppFramework\Db\MultipleObjectsReturnedException
+	 * @throws DoesNotExistException
+	 * @throws Exception
+	 * @throws MultipleObjectsReturnedException
 	 */
-	public function findSessionBySid(string $sid): Session {
+	public function findSessionBySid(string $sid, ?string $sub = null, ?string $iss = null): Session {
 		$qb = $this->db->getQueryBuilder();
 
 		$qb->select('*')
 			->from($this->getTableName())
 			->where(
 				$qb->expr()->eq('sid', $qb->createNamedParameter($sid, IQueryBuilder::PARAM_STR))
 			);
+		if ($sub !== null) {
+			$qb->andWhere(
+				$qb->expr()->eq('sub', $qb->createNamedParameter($sub, IQueryBuilder::PARAM_STR))
+			);
+		}
+		if ($iss !== null) {
+			$qb->andWhere(
+				$qb->expr()->eq('iss', $qb->createNamedParameter($iss, IQueryBuilder::PARAM_STR))
+			);
+		}
 
 		return $this->findEntity($qb);
 	}
