Fix: Make exp claim required for back-channel logout

[Spitfireap]

fixes #1436

This reverts commit 7fcb03d.

The exp claim in the logout token during back-channel logout was not checked due to LemonLDAP (third party IdP) not including it. LemonLDAP's users would have been unable to logout with back-channel.

Now that the fix is merged, the commit can be reverted.

[julien-nc]

Thank you!

[julien-nc]

Suggested change

	if ($logoutTokenPayload->exp < $this->timeFactory->getTime()) {
	if (($logoutTokenPayload->exp ?? 0) < $this->timeFactory->getTime()) {

Let's handle the case where it is not defined to avoid unpredictable behaviours.

[Spitfireap]

Let's handle the case where it is not defined to avoid unpredictable behaviours.

Ok, wouldn't it be better to catch null values here ?
Or is it a failsafe for clarity and robustness against later development ?

[julien-nc]

As you wish. My goal was to keep the code short.

[Spitfireap]

Must be me, but I fail to see any scenario where this might change the result of the comparison. I'd be glad if you had time to explain it :).
Anyway, done

[julien-nc]

If the exp attribute is not defined then we use 0 so we know the comparison with getTime will fail so we actually require this attribute. Am I missing something?

Your initial version might have had the exact same behaviour but is less explicit.

[Spitfireap]

If the exp attribute is not defined then we use 0 so we know the comparison with getTime will fail so we actually require this attribute. Am I missing something?

Your initial version might have had the exact same behaviour but is less explicit.

For me it cannot be undefined because it is checked at line 892 ($requiredClaims) and it will return (l.901) before if missing (undefined).
Worse case scenario is that it is null or empty string but the int casting will make it 0.