From e296c173ccb72daa89632c77451979f7a2352f82 Mon Sep 17 00:00:00 2001
From: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
Date: Fri, 26 Apr 2024 08:32:42 +0200
Subject: [PATCH] V14: add authorized logout callback path (#16152)

* add option to SecuritySettings.cs to allow the developer to set an authorized logout callback path in line with the login callback path

* allow clients using the "Umbraco back-office access" descriptor to return back to either the login path or the logout path
---
 .../Security/BackOfficeApplicationManager.cs         |  8 +++++---
 .../Configuration/Models/SecuritySettings.cs         | 12 +++++++++++-
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/Umbraco.Cms.Api.Management/Security/BackOfficeApplicationManager.cs b/src/Umbraco.Cms.Api.Management/Security/BackOfficeApplicationManager.cs
index 2bdc791d34..455d70fcba 100644
--- a/src/Umbraco.Cms.Api.Management/Security/BackOfficeApplicationManager.cs
+++ b/src/Umbraco.Cms.Api.Management/Security/BackOfficeApplicationManager.cs
@@ -16,6 +16,7 @@ public class BackOfficeApplicationManager : OpenIdDictApplicationManagerBase, IB
     private readonly IRuntimeState _runtimeState;
     private readonly Uri? _backOfficeHost;
     private readonly string _authorizeCallbackPathName;
+    private readonly string _authorizeCallbackLogoutPathName;
 
     public BackOfficeApplicationManager(
         IOpenIddictApplicationManager applicationManager,
@@ -28,6 +29,7 @@ public class BackOfficeApplicationManager : OpenIdDictApplicationManagerBase, IB
         _runtimeState = runtimeState;
         _backOfficeHost = securitySettings.Value.BackOfficeHost;
         _authorizeCallbackPathName = securitySettings.Value.AuthorizeCallbackPathName;
+        _authorizeCallbackLogoutPathName = securitySettings.Value.AuthorizeCallbackLogoutPathName;
     }
 
     public async Task EnsureBackOfficeApplicationAsync(Uri backOfficeUrl, CancellationToken cancellationToken = default)
@@ -112,7 +114,7 @@ public class BackOfficeApplicationManager : OpenIdDictApplicationManagerBase, IB
             PostLogoutRedirectUris =
             {
                 CallbackUrl(_authorizeCallbackPathName),
-                CallbackUrl($"{_authorizeCallbackPathName.EnsureEndsWith("/")}logout")
+                CallbackUrl(_authorizeCallbackLogoutPathName),
             },
             Permissions =
             {
@@ -122,8 +124,8 @@ public class BackOfficeApplicationManager : OpenIdDictApplicationManagerBase, IB
                 OpenIddictConstants.Permissions.Endpoints.Revocation,
                 OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
                 OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
-                OpenIddictConstants.Permissions.ResponseTypes.Code
-            }
+                OpenIddictConstants.Permissions.ResponseTypes.Code,
+            },
         };
     }
 
diff --git a/src/Umbraco.Core/Configuration/Models/SecuritySettings.cs b/src/Umbraco.Core/Configuration/Models/SecuritySettings.cs
index 80a9b38d4f..118481b338 100644
--- a/src/Umbraco.Core/Configuration/Models/SecuritySettings.cs
+++ b/src/Umbraco.Core/Configuration/Models/SecuritySettings.cs
@@ -26,6 +26,7 @@ public class SecuritySettings
     internal const int StaticMemberDefaultLockoutTimeInMinutes = 30 * 24 * 60;
     internal const int StaticUserDefaultLockoutTimeInMinutes = 30 * 24 * 60;
     internal const string StaticAuthorizeCallbackPathName = "/umbraco";
+    internal const string StaticAuthorizeCallbackLogoutPathName = "/umbraco/logout";
     internal const string StaticAuthorizeCallbackErrorPathName = "/umbraco/error";
 
     /// <summary>
@@ -113,11 +114,20 @@ public class SecuritySettings
     public Uri? BackOfficeHost { get; set; }
 
     /// <summary>
-    ///     The path to use for authorization callback. Will be appended to the BackOfficeHost.
+    ///     Gets or sets the path to use for authorization callback. Will be appended to the BackOfficeHost.
     /// </summary>
     [DefaultValue(StaticAuthorizeCallbackPathName)]
     public string AuthorizeCallbackPathName { get; set; } = StaticAuthorizeCallbackPathName;
 
+    /// <summary>
+    ///     Gets or sets the path to use for authorization callback logout. Will be appended to the BackOfficeHost.
+    /// </summary>
+    [DefaultValue(StaticAuthorizeCallbackLogoutPathName)]
+    public string AuthorizeCallbackLogoutPathName { get; set; } = StaticAuthorizeCallbackLogoutPathName;
+
+    /// <summary>
+    ///     Gets or sets the path to use for authorization callback error. Will be appended to the BackOfficeHost.
+    /// </summary>
     [DefaultValue(StaticAuthorizeCallbackErrorPathName)]
     public string AuthorizeCallbackErrorPathName { get; set; } = StaticAuthorizeCallbackErrorPathName;
 }