properly parse logout request

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
2026-02-18 03:18:52 -06:00 · 2023-04-12 17:43:59 +02:00
parent a98a880e7d
commit d2d7c49df4
2 changed files with 8 additions and 10 deletions
--- a/ocis-pkg/oidc/client.go
+++ b/ocis-pkg/oidc/client.go
@@ -317,14 +317,14 @@ func (c *oidcClient) verifyAccessTokenJWT(token string) (jwt.RegisteredClaims, [
 	return claims, mapClaims, nil
 }

-func (c *oidcClient) VerifyLogoutToken(ctx context.Context, rawIDToken string) (*LogoutToken, error) {
-	jws, err := jose.ParseSigned(rawIDToken)
+func (c *oidcClient) VerifyLogoutToken(ctx context.Context, rawToken string) (*LogoutToken, error) {
+	jws, err := jose.ParseSigned(rawToken)
 	if err != nil {
 		return nil, err
 	}
 	// Throw out tokens with invalid claims before trying to verify the token. This lets
 	// us do cheap checks before possibly re-syncing keys.
-	payload, err := parseJWT(rawIDToken)
+	payload, err := parseJWT(rawToken)
 	if err != nil {
 		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
 	}
@@ -386,7 +386,7 @@ func (c *oidcClient) VerifyLogoutToken(ctx context.Context, rawIDToken string) (
 		return nil, fmt.Errorf("oidc: id token signed with unsupported algorithm, expected %q got %q", supportedSigAlgs, sig.Header.Algorithm)
 	}

-	gotPayload, err := c.remoteKeySet.VerifySignature(ctx, rawIDToken)
+	gotPayload, err := c.remoteKeySet.VerifySignature(ctx, rawToken)
 	if err != nil {
 		return nil, fmt.Errorf("failed to verify signature: %v", err)
 	}
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -5,7 +5,6 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"io"
 	"net/http"
 	"time"

@@ -207,16 +206,15 @@ func (h *StaticRouteHandler) handler() http.Handler {
 	return m
 }

+// handle backchannel logout requests as per https://openid.net/specs/openid-connect-backchannel-1_0.html#BCRequest
 func (h *StaticRouteHandler) backchannelLogout(w http.ResponseWriter, r *http.Request) {
-
-	defer r.Body.Close()
-	body, err := io.ReadAll(r.Body)
-	if err != nil {
+	// parse the application/x-www-form-urlencoded POST request
+	if err := r.ParseForm(); err != nil {
 		render.Status(r, http.StatusBadRequest)
 		return
 	}

-	logoutToken, err := h.oidcClient.VerifyLogoutToken(r.Context(), string(body))
+	logoutToken, err := h.oidcClient.VerifyLogoutToken(r.Context(), r.PostFormValue("logout_token"))
 	if err != nil {
 		render.Status(r, http.StatusBadRequest)
 		return