From d2d7c49df405a079e02b615a7f75e23818d5fdb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@butonic.de>
Date: Wed, 12 Apr 2023 17:43:59 +0200
Subject: [PATCH] properly parse logout request
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---
 ocis-pkg/oidc/client.go              |  8 ++++----
 services/proxy/pkg/command/server.go | 10 ++++------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/ocis-pkg/oidc/client.go b/ocis-pkg/oidc/client.go
index 13817b6844..670e77176b 100644
--- a/ocis-pkg/oidc/client.go
+++ b/ocis-pkg/oidc/client.go
@@ -317,14 +317,14 @@ func (c *oidcClient) verifyAccessTokenJWT(token string) (jwt.RegisteredClaims, [
 	return claims, mapClaims, nil
 }
 
-func (c *oidcClient) VerifyLogoutToken(ctx context.Context, rawIDToken string) (*LogoutToken, error) {
-	jws, err := jose.ParseSigned(rawIDToken)
+func (c *oidcClient) VerifyLogoutToken(ctx context.Context, rawToken string) (*LogoutToken, error) {
+	jws, err := jose.ParseSigned(rawToken)
 	if err != nil {
 		return nil, err
 	}
 	// Throw out tokens with invalid claims before trying to verify the token. This lets
 	// us do cheap checks before possibly re-syncing keys.
-	payload, err := parseJWT(rawIDToken)
+	payload, err := parseJWT(rawToken)
 	if err != nil {
 		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
 	}
@@ -386,7 +386,7 @@ func (c *oidcClient) VerifyLogoutToken(ctx context.Context, rawIDToken string) (
 		return nil, fmt.Errorf("oidc: id token signed with unsupported algorithm, expected %q got %q", supportedSigAlgs, sig.Header.Algorithm)
 	}
 
-	gotPayload, err := c.remoteKeySet.VerifySignature(ctx, rawIDToken)
+	gotPayload, err := c.remoteKeySet.VerifySignature(ctx, rawToken)
 	if err != nil {
 		return nil, fmt.Errorf("failed to verify signature: %v", err)
 	}
diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go
index baadf11cdc..d4eb5b0bbf 100644
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -5,7 +5,6 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"io"
 	"net/http"
 	"time"
 
@@ -207,16 +206,15 @@ func (h *StaticRouteHandler) handler() http.Handler {
 	return m
 }
 
+// handle backchannel logout requests as per https://openid.net/specs/openid-connect-backchannel-1_0.html#BCRequest
 func (h *StaticRouteHandler) backchannelLogout(w http.ResponseWriter, r *http.Request) {
-
-	defer r.Body.Close()
-	body, err := io.ReadAll(r.Body)
-	if err != nil {
+	// parse the application/x-www-form-urlencoded POST request
+	if err := r.ParseForm(); err != nil {
 		render.Status(r, http.StatusBadRequest)
 		return
 	}
 
-	logoutToken, err := h.oidcClient.VerifyLogoutToken(r.Context(), string(body))
+	logoutToken, err := h.oidcClient.VerifyLogoutToken(r.Context(), r.PostFormValue("logout_token"))
 	if err != nil {
 		render.Status(r, http.StatusBadRequest)
 		return