Fixed token hint on logout

Signed-off-by: smarcet@gmail.com <smarcet@gmail.com>
Change-Id: I7d73960fc9acff7b274a120a031450c910978f36

Author: smarcet

app/libs/OAuth2/OAuth2Protocol.php

@@ -66,6 +66,7 @@
 use Utils\Services\IAuthService;
 use Utils\Services\ICheckPointService;
 use Utils\Services\ILogService;
+use Utils\Services\IServerConfigurationService;
 
 /**
  * Class OAuth2Protocol
@@ -844,9 +845,12 @@ static public function responseTypeBelongsToFlow(array $response_type, $flow = '
      */
     private $memento_service;
 
+    /**
+     * @var IServerConfigurationService
+     */
+    private $configuration_service;
 
     /**
-     * OAuth2Protocol constructor.
      * @param ILogService $log_service
      * @param IClientService $client_service
      * @param IClientRepository $client_repository
@@ -864,6 +868,7 @@ static public function responseTypeBelongsToFlow(array $response_type, $flow = '
      * @param IServerPrivateKeyRepository $server_private_key_repository
      * @param IClientJWKSetReader $jwk_set_reader_service
      * @param UserIPHelperProvider $ip_helper
+     * @param IServerConfigurationService $configuration_service
      */
     public function __construct
     (
@@ -883,7 +888,8 @@ public function __construct
         IPrincipalService $principal_service,
         IServerPrivateKeyRepository $server_private_key_repository,
         IClientJWKSetReader $jwk_set_reader_service,
-        UserIPHelperProvider $ip_helper
+        UserIPHelperProvider $ip_helper,
+        IServerConfigurationService $configuration_service
     )
     {
 
@@ -1005,6 +1011,8 @@ public function __construct
             $log_service,
             $ip_helper
         );
+
+        $this->configuration_service = $configuration_service;
     }
 
     /**
@@ -1464,7 +1472,7 @@ public function endSession(OAuth2Request $request = null)
             if (!$this->last_request instanceof OAuth2LogoutRequest) throw new InvalidOAuth2Request;
 
             $id_token_hint = $this->last_request->getIdTokenHint();
-            $client_id = null;
+            $client_id = $this->last_request->getClientId();
             $user_id = null;
             $user = null;
 
@@ -1476,11 +1484,23 @@ public function endSession(OAuth2Request $request = null)
                     throw new InvalidOAuth2Request('invalid id_token_hint!');
                 }
 
-                $client_id = $jwt->getClaimSet()->getAudience()->getString();
+
+                $jwt_client_id = $jwt->getClaimSet()->getAudience()->getString()->getValue();
+                $jwt_issuer = $jwt->getClaimSet()->getIssuer()->getValue();
+                $current_issuer = $this->configuration_service->getSiteUrl();
+
+                if($jwt_issuer != $current_issuer){
+                    throw new InvalidOAuth2Request(sprintf("issuer provided on id_token_hint (%s) differs from current one %s",
+                        $jwt_issuer, $current_issuer));
+                }
                 $user_id = $jwt->getClaimSet()->getSubject();
-            }
-            if (empty($client_id)) {
-                $client_id = $this->last_request->getClientId();
+
+                if (!empty($client_id) && $client_id != $jwt_client_id) {
+                        throw new InvalidOAuth2Request(sprintf("client id provided on id_token_hint (%s) differs from current one %s",
+                            $jwt_client_id, $client_id));
+                }
+
+                $client_id = $jwt_client_id;
             }
 
             if (is_null($client_id)) {