V14: add authorized logout callback path (#16152)

* add option to SecuritySettings.cs to allow the developer to set an authorized logout callback path in line with the login callback path

* allow clients using the "Umbraco back-office access" descriptor to return back to either the login path or the logout path

src/Umbraco.Cms.Api.Management/Security/BackOfficeApplicationManager.cs

@@ -16,6 +16,7 @@ public class BackOfficeApplicationManager : OpenIdDictApplicationManagerBase, IB
     private readonly IRuntimeState _runtimeState;
     private readonly Uri? _backOfficeHost;
     private readonly string _authorizeCallbackPathName;
+    private readonly string _authorizeCallbackLogoutPathName;
 
     public BackOfficeApplicationManager(
         IOpenIddictApplicationManager applicationManager,
@@ -28,6 +29,7 @@ public class BackOfficeApplicationManager : OpenIdDictApplicationManagerBase, IB
         _runtimeState = runtimeState;
         _backOfficeHost = securitySettings.Value.BackOfficeHost;
         _authorizeCallbackPathName = securitySettings.Value.AuthorizeCallbackPathName;
+        _authorizeCallbackLogoutPathName = securitySettings.Value.AuthorizeCallbackLogoutPathName;
     }
 
     public async Task EnsureBackOfficeApplicationAsync(Uri backOfficeUrl, CancellationToken cancellationToken = default)
@@ -112,7 +114,7 @@ public class BackOfficeApplicationManager : OpenIdDictApplicationManagerBase, IB
             PostLogoutRedirectUris =
             {
                 CallbackUrl(_authorizeCallbackPathName),
-                CallbackUrl($"{_authorizeCallbackPathName.EnsureEndsWith("/")}logout")
+                CallbackUrl(_authorizeCallbackLogoutPathName),
             },
             Permissions =
             {
@@ -122,8 +124,8 @@ public class BackOfficeApplicationManager : OpenIdDictApplicationManagerBase, IB
                 OpenIddictConstants.Permissions.Endpoints.Revocation,
                 OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
                 OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
-                OpenIddictConstants.Permissions.ResponseTypes.Code
-            }
+                OpenIddictConstants.Permissions.ResponseTypes.Code,
+            },
         };
     }
 

src/Umbraco.Core/Configuration/Models/SecuritySettings.cs

@@ -26,6 +26,7 @@ public class SecuritySettings
     internal const int StaticMemberDefaultLockoutTimeInMinutes = 30 * 24 * 60;
     internal const int StaticUserDefaultLockoutTimeInMinutes = 30 * 24 * 60;
     internal const string StaticAuthorizeCallbackPathName = "/umbraco";
+    internal const string StaticAuthorizeCallbackLogoutPathName = "/umbraco/logout";
     internal const string StaticAuthorizeCallbackErrorPathName = "/umbraco/error";
 
     /// <summary>
@@ -113,11 +114,20 @@ public class SecuritySettings
     public Uri? BackOfficeHost { get; set; }
 
     /// <summary>
-    ///     The path to use for authorization callback. Will be appended to the BackOfficeHost.
+    ///     Gets or sets the path to use for authorization callback. Will be appended to the BackOfficeHost.
     /// </summary>
     [DefaultValue(StaticAuthorizeCallbackPathName)]
     public string AuthorizeCallbackPathName { get; set; } = StaticAuthorizeCallbackPathName;
 
+    /// <summary>
+    ///     Gets or sets the path to use for authorization callback logout. Will be appended to the BackOfficeHost.
+    /// </summary>
+    [DefaultValue(StaticAuthorizeCallbackLogoutPathName)]
+    public string AuthorizeCallbackLogoutPathName { get; set; } = StaticAuthorizeCallbackLogoutPathName;
+
+    /// <summary>
+    ///     Gets or sets the path to use for authorization callback error. Will be appended to the BackOfficeHost.
+    /// </summary>
     [DefaultValue(StaticAuthorizeCallbackErrorPathName)]
     public string AuthorizeCallbackErrorPathName { get; set; } = StaticAuthorizeCallbackErrorPathName;
 }