From a1288f5b0e61e48ed06e3bce6e0b2c68d58101b8 Mon Sep 17 00:00:00 2001 From: memurats Date: Tue, 5 May 2026 15:34:05 +0200 Subject: [PATCH 1/5] backchannel logout fix --- lib/Controller/LoginController.php | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php index abba810c..2cfbcbbf 100644 --- a/lib/Controller/LoginController.php +++ b/lib/Controller/LoginController.php @@ -702,17 +702,6 @@ public function code(string $state = '', string $code = '', string $scope = '', $this->eventDispatcher->dispatchTyped(new UserLoggedInEvent($user, $userId, null, false)); } - $storeLoginTokenEnabled = $this->appConfig->getValueString(Application::APP_ID, 'store_login_token', '0', lazy: true) === '1'; - if ($storeLoginTokenEnabled) { - // store all token information for potential token exchange requests - $tokenData = array_merge( - $data, - ['provider_id' => $providerId], - ); - $this->tokenService->storeToken($tokenData); - } - $this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1'); - // Set last password confirm to the future as we don't have passwords to confirm against with SSO $this->session->set('last-password-confirm', $this->timeFactory->getTime() + 4 * 365 * 24 * 3600); @@ -720,7 +709,7 @@ public function code(string $state = '', string $code = '', string $scope = '', try { $authToken = $this->authTokenProvider->getToken($this->session->getId()); $this->sessionMapper->createOrUpdateSession( - $idTokenPayload->sid ?? 'fallback-sid', + $idTokenPayload->{'urn:telekom.com:session_token'} ?? 'fallback-sid', $idTokenPayload->sub ?? 'fallback-sub', $idTokenPayload->iss ?? 'fallback-iss', $authToken->getId(), @@ -1099,4 +1088,15 @@ private function cleanupSessionState(string $sessionKeySuffix): void { $this->session->remove(self::CODE_VERIFIER . $sessionKeySuffix); $this->session->remove(self::TIMESTAMP . $sessionKeySuffix); } + + /** + * Backward compatible function for MagentaCLOUD to smoothly transition to new config + * + * @PublicPage + * @NoCSRFRequired + * @BruteForceProtection(action: 'userOidcBackchannelLogout') + */ + public function telekomBackChannelLogout(string $logout_token = ''): JSONResponse { + return $this->backChannelLogout('Telekom', $logout_token); + } } From 56ff33aed0685d5ea0d7927e4daa2ff3d0d7fa81 Mon Sep 17 00:00:00 2001 From: Mauro Mura Date: Wed, 6 May 2026 12:45:32 +0200 Subject: [PATCH 2/5] Add telekomBackChannelLogout route to routes.php --- appinfo/routes.php | 1 + 1 file changed, 1 insertion(+) diff --git a/appinfo/routes.php b/appinfo/routes.php index faf0ae16..91f8656b 100644 --- a/appinfo/routes.php +++ b/appinfo/routes.php @@ -16,6 +16,7 @@ ['name' => 'login#code', 'url' => '/code', 'verb' => 'GET'], ['name' => 'login#singleLogoutService', 'url' => '/sls', 'verb' => 'GET'], ['name' => 'login#backChannelLogout', 'url' => '/backchannel-logout/{providerIdentifier}', 'verb' => 'POST'], + ['name' => 'login#telekomBackChannelLogout', 'url' => '/logout', 'verb' => 'POST'], ['name' => 'id4me#showLogin', 'url' => '/id4me', 'verb' => 'GET'], ['name' => 'id4me#login', 'url' => '/id4me', 'verb' => 'POST'], From 432f94e3c018e6f86d74e3ee96d04f442dadba99 Mon Sep 17 00:00:00 2001 From: memurats Date: Wed, 6 May 2026 17:26:24 +0200 Subject: [PATCH 3/5] remove user api endpoints --- appinfo/routes.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/appinfo/routes.php b/appinfo/routes.php index 91f8656b..f5e7890e 100644 --- a/appinfo/routes.php +++ b/appinfo/routes.php @@ -33,7 +33,8 @@ ['name' => 'Settings#getSupportedSettings', 'url' => '/api/{apiVersion}/supported-settings', 'verb' => 'GET', 'requirements' => $requirements], ['name' => 'Settings#setAdminConfig', 'url' => '/api/{apiVersion}/admin-config', 'verb' => 'POST', 'requirements' => $requirements], - ['name' => 'ocsApi#createUser', 'url' => '/api/{apiVersion}/user', 'verb' => 'POST', 'requirements' => $requirements], - ['name' => 'ocsApi#deleteUser', 'url' => '/api/{apiVersion}/user/{userId}', 'verb' => 'DELETE', 'requirements' => $requirements], + // We have to disable the endpoints to avoid problems with Telekom provisioning + // ['name' => 'ocsApi#createUser', 'url' => '/api/{apiVersion}/user', 'verb' => 'POST', 'requirements' => $requirements], + // ['name' => 'ocsApi#deleteUser', 'url' => '/api/{apiVersion}/user/{userId}', 'verb' => 'DELETE', 'requirements' => $requirements], ], ]; From 754d55b5d2941d8db5e1c0e47dc3118042da8979 Mon Sep 17 00:00:00 2001 From: Mauro Mura Date: Wed, 6 May 2026 18:01:23 +0200 Subject: [PATCH 4/5] Disable user API endpoints for Telekom provisioning Commented out user-related API endpoints to prevent issues. --- appinfo/routes.php | 4 ---- 1 file changed, 4 deletions(-) diff --git a/appinfo/routes.php b/appinfo/routes.php index f5e7890e..5ab4ea73 100644 --- a/appinfo/routes.php +++ b/appinfo/routes.php @@ -32,9 +32,5 @@ ['name' => 'Settings#setID4ME', 'url' => '/api/{apiVersion}/provider/id4me', 'verb' => 'POST', 'requirements' => $requirements], ['name' => 'Settings#getSupportedSettings', 'url' => '/api/{apiVersion}/supported-settings', 'verb' => 'GET', 'requirements' => $requirements], ['name' => 'Settings#setAdminConfig', 'url' => '/api/{apiVersion}/admin-config', 'verb' => 'POST', 'requirements' => $requirements], - - // We have to disable the endpoints to avoid problems with Telekom provisioning - // ['name' => 'ocsApi#createUser', 'url' => '/api/{apiVersion}/user', 'verb' => 'POST', 'requirements' => $requirements], - // ['name' => 'ocsApi#deleteUser', 'url' => '/api/{apiVersion}/user/{userId}', 'verb' => 'DELETE', 'requirements' => $requirements], ], ]; From 44b43638d0453f646c0b7b355da026ec61eaaea9 Mon Sep 17 00:00:00 2001 From: Mauro Mura Date: Mon, 11 May 2026 14:32:46 +0200 Subject: [PATCH 5/5] Add attributes to telekomBackChannelLogout method Updated annotations for backward compatibility function. --- lib/Controller/LoginController.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php index 2cfbcbbf..dca5df30 100644 --- a/lib/Controller/LoginController.php +++ b/lib/Controller/LoginController.php @@ -1091,11 +1091,10 @@ private function cleanupSessionState(string $sessionKeySuffix): void { /** * Backward compatible function for MagentaCLOUD to smoothly transition to new config - * - * @PublicPage - * @NoCSRFRequired - * @BruteForceProtection(action: 'userOidcBackchannelLogout') */ + #[PublicPage] + #[NoCSRFRequired] + #[BruteForceProtection(action: 'userOidcBackchannelLogout')] public function telekomBackChannelLogout(string $logout_token = ''): JSONResponse { return $this->backChannelLogout('Telekom', $logout_token); }