OidcBackChannelLogoutWebFilter error response is not a correct JSON

[katya-tis]

Describe the bug
When OidcBackChannelLogoutWebFilter returns an error from handleAuthenticationFailure(...) method:

• the response content type is not set to "application/json";
• error_uri is missing closing quotes;
• the text for at least the description should be escaped for special characters.

To Reproduce
Call the oidc back channel logout endpoint without a logout token for example. The response is:

{
	"error_code": "invalid_request",
	"error_description": "An error occurred while attempting to decode the Jwt: Cannot invoke "String.indexOf(String)" because "s" is null",
	"error_uri: "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation"
}

Expected behavior
The expected response should look like this:

{
    "error_code": "invalid_request",
    "error_description": "An error occurred while attempting to decode the Jwt: Cannot invoke \"String.indexOf(String)\" because \"s\" is null",
    "error_uri": "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation"
}

[harpreets789]

Should the description field in the error response escape quotes for safe use in HTML (e.g., converting " to "), or should it simply escape strings as described in the issue (i.e., using basic string escaping for special characters)?

[harpreets789]

@sjohnr @jzheaux

Request for Clarification:

• Given that the error_description is part of a JSON response, should I escape the string for HTML use (using HtmlUtils), for JSON use (using StringEscapeUtils.escapeJson), or simply handle specific characters using basic string replacement (with String.replace())?

• Which approach would be most appropriate for this case considering both the context and the potential security concerns?