fix: backchannel logout token may not contain "sub"

[prigaux]

The spec says:

A Logout Token MUST contain either a sub or a sid Claim, and MAY contain both

Ory Hydra OP never sends "sub".

The fix is really trivial: ignore "sub" if it is missing.

[julien-nc]

Thanks for the PR!

So according to the specs, the IdP could include sub but not sid in the logout token.

A full fix would be:

• sid is there: we use it and don't check the sub
• sid is missing: we try to use the sub
  • sub is there: we use it to get the session stored in the db (just like we currently do with sid)
  • sub is absent: we return an error response

In any case, we keep checking the iss.

Would you be ready to implement this fix? If not, I can do it later, after we've merged this PR.

[julien-nc]

The specs are actually more complex than what i described. It's a good first step to support the absence of the sub. Thanks!

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)