Logout tokens should have typ header with value 'logout+jwt' (#185)

* Logout tokens should have typ header with value 'logout+jwt'

* Update test to include typ header check

* Mark SSP composer-module-installer as allowed plugin

* Ignore vendor/bin/psalm in psalm to avoid it evaluating itself

Co-authored-by: Marko Ivančić <[email protected]>
Co-authored-by: Patrick Radtke <[email protected]>

Author: 3 people

composer.json

@@ -49,7 +49,10 @@
         "preferred-install": {
             "*": "dist"
         },
-        "sort-packages": true
+        "sort-packages": true,
+        "allow-plugins": {
+            "simplesamlphp/composer-module-installer": true
+        }
     },
     "autoload": {
         "psr-4": {

lib/Services/LogoutTokenBuilder.php

@@ -23,6 +23,7 @@ public function forRelyingPartyAssociation(RelyingPartyAssociationInterface $rel
     {
         $logoutTokenBuilder = $this->jsonWebTokenBuilderService
             ->getDefaultJwtTokenBuilder()
+            ->withHeader('typ', 'logout+jwt')
             ->permittedFor($relyingPartyAssociation->getClientId())
             ->relatedTo($relyingPartyAssociation->getUserId())
             ->withClaim('events', ['http://schemas.openid.net/event/backchannel-logout' => new stdClass()])

psalm.xml

@@ -17,6 +17,7 @@
     <!-- Ignore deprecated classes -->
     <ignoreFiles>
        <directory name="www/assets" />
+       <file name="vendor/bin/psalm" />
     </ignoreFiles>
   </projectFiles>
 
@@ -45,7 +46,7 @@
     <!-- Ignore UnresolvableInclude on CLI-scripts -->
     <UnresolvableInclude>
         <errorLevel type="suppress">
-            <file name="tests/bootstrap.php" />
+          <file name="tests/bootstrap.php" />
         </errorLevel>
     </UnresolvableInclude>
   </issueHandlers>

tests/Services/LogoutTokenBuilderTest.php

@@ -32,6 +32,7 @@ class LogoutTokenBuilderTest extends TestCase
     private static string $userId = 'user123';
     private static string $sessionId = 'session123';
     private static string $backChannelLogoutUri = 'https//some-host.org/logout';
+    private static string $logoutTokenType = 'logout+jwt';
     /**
      * @var mixed
      */
@@ -106,5 +107,8 @@ public function testCanGenerateSignedTokenForRelyingPartyAssociation(): void
                 )
             )
         );
+
+        $this->assertTrue($parsedToken->headers()->has('typ'));
+        $this->assertSame($parsedToken->headers()->get('typ'), self::$logoutTokenType);
     }
 }