From 7be6bb6fb80779c4d8ba9e5fb3966a32cc518f3f Mon Sep 17 00:00:00 2001
From: Spitap <dev@asdrip.fr>
Date: Mon, 18 May 2026 19:56:51 +0200
Subject: [PATCH 1/2] Revert "Removed exp claim from required BC-LO"

This reverts commit 7fcb03d5cb20a4cb7ed8e076a1fd5a4e19d8232d.

Signed-off-by: Spitap <dev@asdrip.fr>
---
 lib/Controller/LoginController.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index abba810c..ac47d322 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -889,8 +889,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 
 		// REQUIRED claims check step
 		// https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken
-		// Note : exp claim is deliberately not checked. See #1432
-		$requiredClaims = ['iss', 'aud', 'iat', 'jti', 'events'];
+		$requiredClaims = ['iss', 'aud', 'iat', 'exp', 'jti', 'events'];
 		$missingClaims = [];
 		$logoutTokenArray = (array)$logoutTokenPayload;
 		foreach ($requiredClaims as $claim) {
@@ -960,7 +959,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 			);
 		}
 
-		if (isset($logoutTokenPayload->exp) && $logoutTokenPayload->exp < $this->timeFactory->getTime()) {
+		if ($logoutTokenPayload->exp < $this->timeFactory->getTime()) {
 			return  $this->getBackchannelLogoutErrorResponse(
 				'invalid exp',
 				'The logout token is expired',

From 6caf1fdf4ef91d26b07411dd910eca33ab3f649b Mon Sep 17 00:00:00 2001
From: Spitap <dev@asdrip.fr>
Date: Tue, 19 May 2026 19:35:08 +0200
Subject: [PATCH 2/2] Make sure exp is not null BC-LO

Signed-off-by: Spitap <dev@asdrip.fr>
---
 lib/Controller/LoginController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index ac47d322..097cf9e1 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -959,7 +959,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 			);
 		}
 
-		if ($logoutTokenPayload->exp < $this->timeFactory->getTime()) {
+		if (($logoutTokenPayload->exp ?? 0) < $this->timeFactory->getTime()) {
 			return  $this->getBackchannelLogoutErrorResponse(
 				'invalid exp',
 				'The logout token is expired',