Require jti on back-channel logout, add jti getter

samuelwei · samuelwei · commit af7136a88d3e · 2025-06-30T12:33:48.000+02:00
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -278,6 +278,11 @@ class OpenIDConnectClient
      */
     private $backChannelSubject;
 
+    /**
+     * @var string jti (JWT ID) of back-channel logout it will be stored here
+     */
+    private $backChannelJti;
+
     /**
      * @var array list of supported auth methods
      */
@@ -612,6 +617,23 @@ public function verifyLogoutToken(): bool
             // Verify Logout Token Claims
             if ($this->verifyLogoutTokenClaims($claims)) {
                 $this->verifiedClaims = $claims;
+
+                // Set the sid, which could be used to map to a session in
+                // the RP, and therefore be used to help destroy the RP's
+                // session.
+                if (isset($claims->sid)) {
+                    $this->backChannelSid = $claims->sid;
+                }
+
+                // Set the sub, which could be used to map to a session in
+                // the RP, and therefore be used to help destroy the RP's
+                // session.
+                if (isset($claims->sub)) {
+                    $this->backChannelSubject = $claims->sub;
+                }
+
+                $this->backChannelJti = $claims->jti;
+
                 return true;
             }
 
@@ -631,7 +653,6 @@ public function verifyLogoutToken(): bool
     public function verifyLogoutTokenClaims(object $claims): bool
     {
         try {
-
             $clock = new Clock();
             $claimCheckerManager = new ClaimCheckerManager(
                 [
@@ -658,19 +679,6 @@ public function verifyLogoutTokenClaims(object $claims): bool
         if (!isset($claims->sid) && !isset($claims->sub)) {
             return false;
         }
-        // Set the sid, which could be used to map to a session in
-        // the RP, and therefore be used to help destroy the RP's
-        // session.
-        if (isset($claims->sid)) {
-            $this->backChannelSid = $claims->sid;
-        }
-
-        // Set the sub, which could be used to map to a session in
-        // the RP, and therefore be used to help destroy the RP's
-        // session.
-        if (isset($claims->sub)) {
-            $this->backChannelSubject = $claims->sub;
-        }
 
         return true;
     }
@@ -877,7 +885,6 @@ protected function generateRandString(): string
      */
     private function requestAuthorization()
     {
-
         $auth_endpoint = $this->getProviderConfigValue('authorization_endpoint');
         $response_type = 'code';
 
@@ -2194,6 +2201,11 @@ public function getSubjectFromBackChannel(): string
         return $this->backChannelSubject;
     }
 
+    public function getJtiFromBackChannel(): string
+    {
+        return $this->backChannelJti;
+    }
+
     public function supportsAuthMethod(string $auth_method, array $token_endpoint_auth_methods_supported): bool
     {
         # client_secret_jwt has to explicitly be enabled
