From 8e9495fb9ef80141bd216635ef4d9d4ee4f23acc Mon Sep 17 00:00:00 2001
From: Pascal Rigaux <pascal.rigaux@univ-paris1.fr>
Date: Sun, 9 Feb 2025 18:47:02 +0100
Subject: [PATCH] fix: backchannel logout token may not contain "sub"

The spec says:

> A Logout Token MUST contain either a sub or a sid Claim, and MAY contain both

Ory Hydra OP never sends "sub"
---
 lib/Controller/LoginController.php | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index 4aff4bd0..d95948b3 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -715,13 +715,15 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 			);
 		}
 
-		$sub = $logoutTokenPayload->sub;
-		if ($oidcSession->getSub() !== $sub) {
-			return $this->getBackchannelLogoutErrorResponse(
-				'invalid SUB',
-				'The sub does not match the one from the login ID token',
-				['invalid_sub' => $sub]
-			);
+		if (isset($logoutTokenPayload->sub)) {
+			$sub = $logoutTokenPayload->sub;
+			if ($oidcSession->getSub() !== $sub) {
+				return $this->getBackchannelLogoutErrorResponse(
+					'invalid SUB',
+					'The sub does not match the one from the login ID token',
+					['invalid_sub' => $sub]
+				);
+			}
 		}
 		$iss = $logoutTokenPayload->iss;
 		if ($oidcSession->getIss() !== $iss) {