Logout tokens should have typ header with value 'logout+jwt' (#185)

IlanaRadinsky · cicnavi · pradtke · web-flow · commit 0d24bdab8bcf · 2022-07-21T07:47:28.000-07:00
* Logout tokens should have typ header with value 'logout+jwt'

* Update test to include typ header check

* Mark SSP composer-module-installer as allowed plugin

* Ignore vendor/bin/psalm in psalm to avoid it evaluating itself

Co-authored-by: Marko Ivančić &lt;marko.ivancic@srce.hr&gt;
Co-authored-by: Patrick Radtke &lt;patrick@cirrusidentity.com&gt;
diff --git a/composer.json b/composer.json
@@ -49,7 +49,10 @@
         "preferred-install": {
             "*": "dist"
         },
-        "sort-packages": true
+        "sort-packages": true,
+        "allow-plugins": {
+            "simplesamlphp/composer-module-installer": true
+        }
     },
     "autoload": {
         "psr-4": {
diff --git a/lib/Services/LogoutTokenBuilder.php b/lib/Services/LogoutTokenBuilder.php
@@ -23,6 +23,7 @@ public function forRelyingPartyAssociation(RelyingPartyAssociationInterface $rel
     {
         $logoutTokenBuilder = $this->jsonWebTokenBuilderService
             ->getDefaultJwtTokenBuilder()
+            ->withHeader('typ', 'logout+jwt')
             ->permittedFor($relyingPartyAssociation->getClientId())
             ->relatedTo($relyingPartyAssociation->getUserId())
             ->withClaim('events', ['http://schemas.openid.net/event/backchannel-logout' => new stdClass()])
diff --git a/psalm.xml b/psalm.xml
@@ -17,6 +17,7 @@
     <!-- Ignore deprecated classes -->
     <ignoreFiles>
        <directory name="www/assets" />
+       <file name="vendor/bin/psalm" />
     </ignoreFiles>
   </projectFiles>
 
@@ -45,7 +46,7 @@
     <!-- Ignore UnresolvableInclude on CLI-scripts -->
     <UnresolvableInclude>
         <errorLevel type="suppress">
-            <file name="tests/bootstrap.php" />
+          <file name="tests/bootstrap.php" />
         </errorLevel>
     </UnresolvableInclude>
   </issueHandlers>
diff --git a/tests/Services/LogoutTokenBuilderTest.php b/tests/Services/LogoutTokenBuilderTest.php
@@ -32,6 +32,7 @@ class LogoutTokenBuilderTest extends TestCase
     private static string $userId = 'user123';
     private static string $sessionId = 'session123';
     private static string $backChannelLogoutUri = 'https//some-host.org/logout';
+    private static string $logoutTokenType = 'logout+jwt';
     /**
      * @var mixed
      */
@@ -106,5 +107,8 @@ public function testCanGenerateSignedTokenForRelyingPartyAssociation(): void
                 )
             )
         );
+
+        $this->assertTrue($parsedToken->headers()->has('typ'));
+        $this->assertSame($parsedToken->headers()->get('typ'), self::$logoutTokenType);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ public function forRelyingPartyAssociation(RelyingPartyAssociationInterface $rel`
`23`	`23`	`{`
`24`	`24`	`$logoutTokenBuilder = $this->jsonWebTokenBuilderService`
`25`	`25`	`->getDefaultJwtTokenBuilder()`
	`26`	`+ ->withHeader('typ', 'logout+jwt')`
`26`	`27`	`->permittedFor($relyingPartyAssociation->getClientId())`
`27`	`28`	`->relatedTo($relyingPartyAssociation->getUserId())`
`28`	`29`	`->withClaim('events', ['http://schemas.openid.net/event/backchannel-logout' => new stdClass()])`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ class LogoutTokenBuilderTest extends TestCase`
`32`	`32`	`private static string $userId = 'user123';`
`33`	`33`	`private static string $sessionId = 'session123';`
`34`	`34`	`private static string $backChannelLogoutUri = 'https//some-host.org/logout';`
	`35`	`+ private static string $logoutTokenType = 'logout+jwt';`
`35`	`36`	`/**`
`36`	`37`	`* @var mixed`
`37`	`38`	`*/`
`@@ -106,5 +107,8 @@ public function testCanGenerateSignedTokenForRelyingPartyAssociation(): void`
`106`	`107`	`)`
`107`	`108`	`)`
`108`	`109`	`);`
	`110`	`+`
	`111`	`+ $this->assertTrue($parsedToken->headers()->has('typ'));`
	`112`	`+ $this->assertSame($parsedToken->headers()->get('typ'), self::$logoutTokenType);`
`109`	`113`	`}`
`110`	`114`	`}`