WIP

cicnavi · cicnavi · commit 97dc0c63532d · 2026-01-12T16:48:03.000+01:00
diff --git a/src/Controllers/EndSessionController.php b/src/Controllers/EndSessionController.php
@@ -65,6 +65,8 @@ public function __invoke(ServerRequestInterface $request): Response
             (string)$idTokenHint->claims()->get('sid');
         }
 
+        $this->loggerService->debug('EndSession: ID Token Hint Session ID: ' . $sidClaim ?? 'N/A');
+
         // Check if RP is requesting logout for session that previously existed (not this current session).
         // Claim 'sid' from 'id_token_hint' logout parameter indicates for which session should log out be
         // performed (sid is session ID used when ID token was issued during authn). If the requested
@@ -73,19 +75,31 @@ public function __invoke(ServerRequestInterface $request): Response
             $sidClaim !== null &&
             $this->sessionService->getCurrentSession()->getSessionId() !== $sidClaim
         ) {
+            $this->loggerService->debug('Not current session: ' . $sidClaim);
             try {
                 if (($sidSession = $this->sessionService->getSessionById($sidClaim)) !== null) {
+                    $this->loggerService->debug('Found session for ID: ' . $sidClaim);
                     $sidSessionValidAuthorities = $sidSession->getAuthorities();
 
                     if (! empty($sidSessionValidAuthorities)) {
+                        $this->loggerService->debug(
+                            'Valid session authorities: ' . implode(', ', $sidSessionValidAuthorities),
+                        );
                         $wasLogoutActionCalled = true;
                         // Create a SessionLogoutTicket so that the sid is available in the static logoutHandler()
                         $this->sessionLogoutTicketStoreBuilder->getInstance()->add($sidClaim);
                         // Initiate logout for every valid auth source for the requested session.
                         foreach ($sidSessionValidAuthorities as $authSourceId) {
+                            $this->loggerService->debug(
+                                'Initiating logout for auth source ID: ' . $authSourceId,
+                            );
                             $sidSession->doLogout($authSourceId);
                         }
+                    } else {
+                        $this->loggerService->debug('Session authorities not found for ID: ' . $sidClaim);
                     }
+                } else {
+                    $this->loggerService->debug('Session not found for ID: ' . $sidClaim);
                 }
             } catch (Throwable $exception) {
                 $this->loggerService->warning(
@@ -96,13 +110,19 @@ public function __invoke(ServerRequestInterface $request): Response
 
         $currentSessionValidAuthorities = $this->sessionService->getCurrentSession()->getAuthorities();
         if (!empty($currentSessionValidAuthorities)) {
+            $this->loggerService->debug(
+                'Current session authorities: ' . implode(', ', $currentSessionValidAuthorities),
+            );
             $wasLogoutActionCalled = true;
             // Initiate logout for every valid auth source for the current session.
             foreach ($this->sessionService->getCurrentSession()->getAuthorities() as $authSourceId) {
                 $this->sessionService->getCurrentSession()->doLogout($authSourceId);
             }
+        } else {
+            $this->loggerService->debug('Current session authorities not found for ID: ' . $sidClaim);
         }
 
+        $this->loggerService->debug('Was logout action called: ' . var_export($wasLogoutActionCalled, true));
         // Set indication for OIDC initiated logout back to false, so that the logoutHandler() method does not
         // run for other logout initiated actions, like (currently) re-authentication...
         $this->sessionService->setIsOidcInitiatedLogout(false);
@@ -189,14 +209,32 @@ public static function logoutHandler(): void
     protected function resolveResponse(LogoutRequest $logoutRequest, bool $wasLogoutActionCalled): Response
     {
         if (($postLogoutRedirectUri = $logoutRequest->getPostLogoutRedirectUri()) !== null) {
+            $this->loggerService->debug(
+                'Logout request includes post-logout redirect URI: ' . $postLogoutRedirectUri,
+            );
+
             if ($logoutRequest->getState() !== null) {
+                $this->loggerService->debug(
+                    'Appending logout request state: ' . $logoutRequest->getState(),
+                );
                 $postLogoutRedirectUri .= (!str_contains($postLogoutRedirectUri, '?')) ? '?' : '&';
                 $postLogoutRedirectUri .= http_build_query(['state' => $logoutRequest->getState()]);
+            } else {
+                $this->loggerService->debug(
+                    'No state provided for post logout',
+                );
             }
 
+            $this->loggerService->debug(
+                'Final post logout redirect URI: ' . $postLogoutRedirectUri,
+            );
             return new RedirectResponse($postLogoutRedirectUri);
         }
 
+        $this->loggerService->debug(
+            'No post logout redirect URI provided for logout. Showing template.',
+        );
+
         return $this->templateFactory->build(
             templateName:  'oidc:/logout.twig',
             data: [
diff --git a/src/Factories/CoreFactory.php b/src/Factories/CoreFactory.php
@@ -6,10 +6,7 @@
 
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Services\LoggerService;
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmBag;
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Core;
-use SimpleSAML\OpenID\SupportedAlgorithms;
 
 class CoreFactory
 {
@@ -25,22 +22,8 @@ public function __construct(
      */
     public function build(): Core
     {
-        $supportedAlgorithms = new SupportedAlgorithms(
-            new SignatureAlgorithmBag(
-                SignatureAlgorithmEnum::from($this->moduleConfig->getFederationSigner()->algorithmId()),
-                SignatureAlgorithmEnum::RS384,
-                SignatureAlgorithmEnum::RS512,
-                SignatureAlgorithmEnum::ES256,
-                SignatureAlgorithmEnum::ES384,
-                SignatureAlgorithmEnum::ES512,
-                SignatureAlgorithmEnum::PS256,
-                SignatureAlgorithmEnum::PS384,
-                SignatureAlgorithmEnum::PS512,
-            ),
-        );
-
         return new Core(
-            supportedAlgorithms: $supportedAlgorithms,
+            supportedAlgorithms: $this->moduleConfig->getSupportedAlgorithms(),
             logger: $this->loggerService,
         );
     }
diff --git a/src/Server/Associations/Interfaces/RelyingPartyAssociationInterface.php b/src/Server/Associations/Interfaces/RelyingPartyAssociationInterface.php
@@ -14,4 +14,17 @@ public function getSessionId(): ?string;
     public function setSessionId(?string $sessionId): void;
     public function getBackChannelLogoutUri(): ?string;
     public function setBackChannelLogoutUri(?string $backChannelLogoutUri): void;
+
+    /**
+     * Get id_token_signed_response_alg metadata parameter used by the client.
+     *
+     * @return string|null
+     */
+    public function getClientIdTokenSignedResponseAlg(): ?string;
+
+    /**
+     * Set id_token_signed_response_alg metadata parameter used by the client.
+     * @param string|null $idTokenSignedResponseAlg
+     */
+    public function setClientIdTokenSignedResponseAlg(?string $idTokenSignedResponseAlg): void;
 }
diff --git a/src/Server/Associations/RelyingPartyAssociation.php b/src/Server/Associations/RelyingPartyAssociation.php
@@ -16,6 +16,7 @@ public function __construct(
          * Registered back-channel logout URI for the client.
          */
         protected ?string $backChannelLogoutUri = null,
+        protected ?string $idTokenSignedResponseAlg = null,
     ) {
     }
 
@@ -58,4 +59,14 @@ public function setBackChannelLogoutUri(?string $backChannelLogoutUri): void
     {
         $this->backChannelLogoutUri = $backChannelLogoutUri;
     }
+
+    public function getClientIdTokenSignedResponseAlg(): ?string
+    {
+        return $this->idTokenSignedResponseAlg;
+    }
+
+    public function setClientIdTokenSignedResponseAlg(?string $idTokenSignedResponseAlg): void
+    {
+        $this->idTokenSignedResponseAlg = $idTokenSignedResponseAlg;
+    }
 }
diff --git a/src/Server/Grants/ImplicitGrant.php b/src/Server/Grants/ImplicitGrant.php
@@ -261,7 +261,7 @@ private function completeOidcAuthorizationRequest(AuthorizationRequest $authoriz
             $responseParams['expires_in'] = $accessToken->getExpiryDateTime()->getTimestamp() - time();
         }
 
-        $idToken = $this->idTokenBuilder->build(
+        $idToken = $this->idTokenBuilder->buildFor(
             $user,
             $accessToken,
             $authorizationRequest->getAddClaimsToIdToken(),
@@ -272,7 +272,7 @@ private function completeOidcAuthorizationRequest(AuthorizationRequest $authoriz
             $authorizationRequest->getSessionId(),
         );
 
-        $responseParams['id_token'] = $idToken->toString();
+        $responseParams['id_token'] = $idToken->getToken();
 
         $response = new RedirectResponse();
 
diff --git a/src/Server/ResponseTypes/TokenResponse.php b/src/Server/ResponseTypes/TokenResponse.php
@@ -126,7 +126,8 @@ protected function prepareIdTokenExtraParam(AccessTokenEntity $accessToken): arr
             throw OidcServerException::accessDenied('No user available for provided user identifier.');
         }
 
-        $token = $this->idTokenBuilder->build(
+        //$token = $this->idTokenBuilder->build(
+        $token = $this->idTokenBuilder->buildFor(
             $userEntity,
             $accessToken,
             false,
@@ -138,7 +139,7 @@ protected function prepareIdTokenExtraParam(AccessTokenEntity $accessToken): arr
         );
 
         return [
-            'id_token' => $token->toString(),
+            'id_token' => $token->getToken(),
         ];
     }
 
diff --git a/src/Services/AuthenticationService.php b/src/Services/AuthenticationService.php
@@ -312,6 +312,7 @@ protected function addRelyingPartyAssociation(ClientEntityInterface $oidcClient,
                 (string)($claims['sub'] ?? $user->getIdentifier()),
                 $this->getSessionId(),
                 $oidcClient->getBackChannelLogoutUri(),
+                $oidcClient->getIdTokenSignedResponseAlg(),
             ),
         );
     }
diff --git a/src/Services/Container.php b/src/Services/Container.php
@@ -423,10 +423,15 @@ public function __construct()
         $requestRuleManager = new RequestRulesManager($requestRules, $loggerService);
         $this->services[RequestRulesManager::class] = $requestRuleManager;
 
-        $idTokenBuilder = new IdTokenBuilder($jsonWebTokenBuilderService, $claimTranslatorExtractor);
+        $idTokenBuilder = new IdTokenBuilder(
+            $jsonWebTokenBuilderService,
+            $claimTranslatorExtractor,
+            $core,
+            $moduleConfig,
+        );
         $this->services[IdTokenBuilder::class] = $idTokenBuilder;
 
-        $logoutTokenBuilder = new LogoutTokenBuilder($jsonWebTokenBuilderService);
+        $logoutTokenBuilder = new LogoutTokenBuilder($moduleConfig, $loggerService);
         $this->services[LogoutTokenBuilder::class] = $logoutTokenBuilder;
 
         $sessionLogoutTicketStoreDb = new LogoutTicketStoreDb($database);
diff --git a/src/Services/IdTokenBuilder.php b/src/Services/IdTokenBuilder.php
@@ -13,21 +13,123 @@
 use League\OAuth2\Server\Entities\UserEntityInterface;
 use RuntimeException;
 use SimpleSAML\Module\oidc\Entities\AccessTokenEntity;
+use SimpleSAML\Module\oidc\Entities\ClientEntity;
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClaimSetInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\EntityStringRepresentationInterface;
+use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor;
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Core;
+use SimpleSAML\OpenID\Core\IdToken;
 
 class IdTokenBuilder
 {
     public function __construct(
-        private readonly JsonWebTokenBuilderService $jsonWebTokenBuilderService,
-        private readonly ClaimTranslatorExtractor $claimExtractor,
+        protected readonly JsonWebTokenBuilderService $jsonWebTokenBuilderService,
+        protected readonly ClaimTranslatorExtractor $claimExtractor,
+        protected readonly Core $core,
+        protected readonly ModuleConfig $moduleConfig,
     ) {
     }
 
+    /**
+     * @psalm-suppress MixedAssignment
+     */
+    public function buildFor(
+        UserEntityInterface $userEntity,
+        AccessTokenEntity $accessToken,
+        bool $addClaimsFromScopes,
+        bool $addAccessTokenHash,
+        ?string $nonce,
+        ?int $authTime,
+        ?string $acr,
+        ?string $sessionId,
+    ): IdToken {
+        if (!is_a($userEntity, ClaimSetInterface::class)) {
+            throw new RuntimeException('UserEntity must implement ClaimSetInterface');
+        }
+
+        $client = $accessToken->getClient();
+        if (! $client instanceof ClientEntity) {
+            throw new RuntimeException('Client is expected to be instance of ' . ClientEntity::class);
+        }
+
+        $protocolSignatureKeyPairBag = $this->moduleConfig->getProtocolSignatureKeyPairBag();
+        $protocolSignatureKeyPair = $protocolSignatureKeyPairBag->getFirstOrFail();
+
+        // ID Token signing algorithm that the client wants.
+        $clientIdTokenSignedResponseAlg = $client->getIdTokenSignedResponseAlg();
+
+        if (is_string($clientIdTokenSignedResponseAlg)) {
+            $protocolSignatureKeyPair = $protocolSignatureKeyPairBag->getFirstByAlgorithmOrFail(
+                SignatureAlgorithmEnum::from($clientIdTokenSignedResponseAlg),
+            );
+        }
+
+        $currentTimestamp = $this->core->helpers()->dateTime()->getUtc()->getTimestamp();
+
+        $payload = array_filter([
+            ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
+            ClaimsEnum::Iat->value => $currentTimestamp,
+            ClaimsEnum::Jti->value => $this->core->helpers()->random()->string(),
+            ClaimsEnum::Aud->value => $client->getIdentifier(),
+            ClaimsEnum::Nbf->value => $currentTimestamp,
+            ClaimsEnum::Exp->value => $accessToken->getExpiryDateTime()->getTimestamp(),
+            ClaimsEnum::Sub->value => $this->core->helpers()->type()->ensureNonEmptyString(
+                $userEntity->getIdentifier(),
+            ),
+            ClaimsEnum::Nonce->value => $nonce,
+            ClaimsEnum::AuthTime->value => $authTime,
+            ClaimsEnum::ATHash->value => $addAccessTokenHash ?
+                $this->generateAccessTokenHash(
+                    $accessToken,
+                    $protocolSignatureKeyPair->getSignatureAlgorithm()->value,
+                ) :
+                null,
+            ClaimsEnum::Acr->value => $acr,
+            ClaimsEnum::Sid->value => $sessionId,
+        ]);
+
+        // Reduce the number of claims by provided scope.
+        $claims = $this->claimExtractor->extract(
+            $accessToken->getScopes(),
+            $userEntity->getClaims(),
+        );
+        $requestedClaims =  $accessToken->getRequestedClaims();
+        $additionalClaims = $this->claimExtractor->extractAdditionalIdTokenClaims(
+            $requestedClaims,
+            $userEntity->getClaims(),
+        );
+        $claims = array_merge($additionalClaims, $claims);
+
+        foreach ($claims as $claimName => $claimValue) {
+            if (
+                is_string($claimName) &&
+                $claimName !== '' &&
+                ($addClaimsFromScopes || array_key_exists($claimName, $additionalClaims))
+            ) {
+                $payload[$claimName] = $claimValue;
+            }
+        }
+
+        $header = [
+            ClaimsEnum::Kid->value => $protocolSignatureKeyPair->getKeyPair()->getKeyId(),
+        ];
+
+        return $this->core->idTokenFactory()->fromData(
+            $protocolSignatureKeyPair->getKeyPair()->getPrivateKey(),
+            $protocolSignatureKeyPair->getSignatureAlgorithm(),
+            $payload,
+            $header,
+        );
+    }
+
     /**
      * @throws \Exception
      * @psalm-suppress ArgumentTypeCoercion
+     * @deprecated Since v7
+     * @see self::buildFor()
      */
     public function build(
         UserEntityInterface $userEntity,
diff --git a/src/Services/LogoutTokenBuilder.php b/src/Services/LogoutTokenBuilder.php

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ public function __construct(`
`16`	`16`	`* Registered back-channel logout URI for the client.`
`17`	`17`	`*/`
`18`	`18`	`protected ?string $backChannelLogoutUri = null,`
	`19`	`+ protected ?string $idTokenSignedResponseAlg = null,`
`19`	`20`	`) {`
`20`	`21`	`}`
`21`	`22`
`@@ -58,4 +59,14 @@ public function setBackChannelLogoutUri(?string $backChannelLogoutUri): void`
`58`	`59`	`{`
`59`	`60`	`$this->backChannelLogoutUri = $backChannelLogoutUri;`
`60`	`61`	`}`
	`62`	`+`
	`63`	`+ public function getClientIdTokenSignedResponseAlg(): ?string`
	`64`	`+ {`
	`65`	`+ return $this->idTokenSignedResponseAlg;`
	`66`	`+ }`
	`67`	`+`
	`68`	`+ public function setClientIdTokenSignedResponseAlg(?string $idTokenSignedResponseAlg): void`
	`69`	`+ {`
	`70`	`+ $this->idTokenSignedResponseAlg = $idTokenSignedResponseAlg;`
	`71`	`+ }`
`61`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -312,6 +312,7 @@ protected function addRelyingPartyAssociation(ClientEntityInterface $oidcClient,`
`312`	`312`	`(string)($claims['sub'] ?? $user->getIdentifier()),`
`313`	`313`	`$this->getSessionId(),`
`314`	`314`	`$oidcClient->getBackChannelLogoutUri(),`
	`315`	`+ $oidcClient->getIdTokenSignedResponseAlg(),`
`315`	`316`	`),`
`316`	`317`	`);`
`317`	`318`	`}`