OpenIdConnect middleware throws on logout messages within callback path (regression in 4.1.0) #476
Description
I have an OpenID Connect site https://domain.example with redirect URI https://domain.example/redir used for both login redirect_uri and logout post_logoug_redirect_uri. On 4.0.1, this worked fine. After upgrading to 4.2.2 related to CVE-2022-29117, I found a regression here that seems to have been introduced by #297 . Following RP initiated logout, the OpenId Connect middleware makes a request like https://sts.example/logout?state=OpenIdConnectProperties.Abc&redirect_uri=https%3A%2F%2Fdomain.example%2Fredir which results in a response to my site like https://domain.example/redir?state=OpenIDConnectProperties.Abc. In 4.0.1, because the response from RP initiated logout is a GET, AuthenticateCoreAsync left openIdConnectMessage null, and returned null (no authentication) on line 220. After #297 , openIdConnectMessage was renamed to authorizationResponse and set on GET requests on line 213. It then fails 70 lines later as being an invalid authorize message, as an authorize message must either include "code" or "id_token".
The prior code seems to have more of the right ideas. This message is indeed a openIdConnectMessage, and NOT an authorizationResponse yet. The middleware should first decode the state using something like Helper.LookupSignOut - and then, depending on the data in the state, either process the message as an authorizationResponse or an authorizationResponseRevoke.