feat: bump backchannelLogout to draft-07

README.md

@@ -48,7 +48,7 @@ The following draft specifications are implemented by oidc-provider:
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - Implementer's Draft 01][jarm]
 - [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba]
 - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][dpop]
-- [OpenID Connect Back-Channel Logout 1.0 - draft 06][backchannel-logout]
+- [OpenID Connect Back-Channel Logout 1.0 - draft 07][backchannel-logout]
 - [OpenID Connect RP-Initiated Logout 1.0 - draft 01][rpinitiated-logout]
 
 Updates to draft specification versions are released as MINOR library versions,
@@ -131,7 +131,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
 [introspection]: https://www.rfc-editor.org/rfc/rfc7662.html
 [pkce]: https://www.rfc-editor.org/rfc/rfc7636.html
 [example-repo]: https://github.com/panva/node-oidc-provider-example
-[backchannel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0-06.html
+[backchannel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0-07.html
 [registration-management]: https://www.rfc-editor.org/rfc/rfc7592.html
 [oauth-native-apps]: https://www.rfc-editor.org/rfc/rfc8252.html
 [jar]: https://www.rfc-editor.org/rfc/rfc9101.html

docs/README.md

@@ -621,7 +621,7 @@ new Provider('http://localhost:3000', {
 
 ### features.backchannelLogout
 
-[Back-Channel Logout 1.0 - draft 06](https://openid.net/specs/openid-connect-backchannel-1_0-06.html)  
+[Back-Channel Logout 1.0 - draft 07](https://openid.net/specs/openid-connect-backchannel-1_0-07.html)  
 
 Enables Back-Channel Logout features.   
 

lib/helpers/defaults.js

@@ -907,7 +907,7 @@ function getDefaults() {
       /*
        * features.backchannelLogout
        *
-       * title: [Back-Channel Logout 1.0 - draft 06](https://openid.net/specs/openid-connect-backchannel-1_0-06.html)
+       * title: [Back-Channel Logout 1.0 - draft 07](https://openid.net/specs/openid-connect-backchannel-1_0-07.html)
        *
        * description: Enables Back-Channel Logout features.
        *

lib/helpers/features.js

@@ -22,10 +22,10 @@ const STABLE = new Set([
 
 const DRAFTS = new Map(Object.entries({
   backchannelLogout: {
-    name: 'OpenID Connect Back-Channel Logout 1.0 - draft 06',
+    name: 'OpenID Connect Back-Channel Logout 1.0 - draft 07',
     type: 'OIDF AB/Connect Working Group draft',
-    url: 'https://openid.net/specs/openid-connect-backchannel-1_0-06.html',
-    version: [4, 'draft-04', 'draft-05', 'draft-06'],
+    url: 'https://openid.net/specs/openid-connect-backchannel-1_0-07.html',
+    version: ['draft-07'],
   },
   dPoP: {
     name: 'OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer - draft 03',

lib/models/id_token.js

@@ -91,6 +91,7 @@ module.exports = function getIdToken(provider) {
             audience: client.clientId,
             issuer: provider.issuer,
             subject: payload.sub,
+            typ: 'logout+jwt',
           };
           encryption = {
             alg: client.idTokenEncryptedResponseAlg,

test/backchannel_logout/backchannel_logout.test.js

@@ -21,6 +21,8 @@ describe('Back-Channel Logout 1.0', () => {
       nock('https://client.example.com/')
         .filteringRequestBody((body) => {
           expect(body).to.match(/^logout_token=(([\w-]+\.?){3})$/);
+          const header = JSON.parse(base64url.decode(RegExp.$1.split('.')[0]));
+          expect(header).to.have.property('typ', 'logout+jwt');
           const decoded = JSON.parse(base64url.decode(RegExp.$1.split('.')[1]));
           expect(decoded).to.have.all.keys('sub', 'events', 'iat', 'aud', 'iss', 'jti', 'sid');
           expect(decoded).to.have.property('events').and.eql({ 'http://schemas.openid.net/event/backchannel-logout': {} });

test/provider/provider_instance.test.js

@@ -20,23 +20,23 @@ describe('provider instance', () => {
 
     it('it warns when draft/experimental specs are enabled', () => {
       new Provider('http://localhost', { // eslint-disable-line no-new
-        features: { backchannelLogout: { enabled: true } },
+        features: { webMessageResponseMode: { enabled: true } },
       });
 
       expect(console.info.called).to.be.true;
     });
 
     it('it is silent when a version is acknowledged', () => {
       new Provider('http://localhost', { // eslint-disable-line no-new
-        features: { backchannelLogout: { enabled: true, ack: 'draft-06' } },
+        features: { webMessageResponseMode: { enabled: true, ack: 'individual-draft-00' } },
       });
 
       expect(console.info.called).to.be.false;
     });
 
     it('it is silent when a version is acknowledged where the draft is backwards compatible with a previous draft', () => {
       new Provider('http://localhost', { // eslint-disable-line no-new
-        features: { backchannelLogout: { enabled: true, ack: 4 } },
+        features: { webMessageResponseMode: { enabled: true, ack: 'id-00' } },
       });
 
       expect(console.info.called).to.be.false;
@@ -45,7 +45,7 @@ describe('provider instance', () => {
     it('throws when an acked feature has breaking changes since', () => {
       expect(() => {
         new Provider('http://localhost', { // eslint-disable-line no-new
-          features: { backchannelLogout: { enabled: true, ack: 3 } },
+          features: { webMessageResponseMode: { enabled: true, ack: 'not a current version' } },
         });
       }).to.throw('An unacknowledged version of a draft feature is included in this oidc-provider version.');
       expect(console.info.called).to.be.true;