From b34461f64e08a498914024c121420d1eff2ffb1f Mon Sep 17 00:00:00 2001
From: Codex <codex@nodedc.local>
Date: Mon, 4 May 2026 22:36:27 +0300
Subject: [PATCH] =?UTF-8?q?=D0=A4=D0=A3=D0=9D=D0=9A=D0=A6=D0=98=D0=98=20-?=
 =?UTF-8?q?=20NODEDC=20AUTH:=20register=20logout=20redirect=20uri?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 infra/.env.example               |  1 +
 infra/authentik/bootstrap-dev.py | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/infra/.env.example b/infra/.env.example
index b38a00f..264e16b 100644
--- a/infra/.env.example
+++ b/infra/.env.example
@@ -32,6 +32,7 @@ LAUNCHER_OIDC_ISSUER=http://auth.local.nodedc/application/o/launcher/
 LAUNCHER_OIDC_CLIENT_ID=nodedc-launcher
 LAUNCHER_OIDC_CLIENT_SECRET=change-me-generate-with-bootstrap-authentik-dev
 LAUNCHER_OIDC_REDIRECT_URI=http://launcher.local.nodedc/auth/callback
+LAUNCHER_OIDC_LOGGED_OUT_REDIRECT_URI=http://launcher.local.nodedc/auth/logged-out
 
 # plane oidc
 PLANE_OIDC_ISSUER=http://auth.local.nodedc/application/o/task-manager/
diff --git a/infra/authentik/bootstrap-dev.py b/infra/authentik/bootstrap-dev.py
index f6cdd0b..2c76a6a 100644
--- a/infra/authentik/bootstrap-dev.py
+++ b/infra/authentik/bootstrap-dev.py
@@ -39,6 +39,8 @@ APP_SPECS = [
         "client_id_env": "LAUNCHER_OIDC_CLIENT_ID",
         "client_secret_env": "LAUNCHER_OIDC_CLIENT_SECRET",
         "redirect_uri_env": "LAUNCHER_OIDC_REDIRECT_URI",
+        "logged_out_redirect_uri_env": "LAUNCHER_OIDC_LOGGED_OUT_REDIRECT_URI",
+        "default_logged_out_redirect_uri": "http://launcher.local.nodedc/auth/logged-out",
         "launch_url": "http://launcher.local.nodedc",
         "logout_uri": "http://launcher.local.nodedc/logout",
         "groups": ["nodedc:superadmin", "nodedc:launcher:admin", "nodedc:launcher:user"],
@@ -66,6 +68,10 @@ def required_env(name):
     return value
 
 
+def optional_env(name, default=""):
+    return environ.get(name, default).strip()
+
+
 def ensure_group(name, is_superuser=False):
     group, _ = Group.objects.get_or_create(name=name)
     group.is_superuser = is_superuser
@@ -241,8 +247,18 @@ def ensure_provider(spec, mappings):
     provider.client_type = ClientTypes.CONFIDENTIAL
     provider.client_id = required_env(spec["client_id_env"])
     provider.client_secret = required_env(spec["client_secret_env"])
+    redirect_uri_values = [required_env(spec["redirect_uri_env"])]
+    logged_out_redirect_uri = optional_env(
+        spec.get("logged_out_redirect_uri_env", ""),
+        spec.get("default_logged_out_redirect_uri", ""),
+    )
+
+    if logged_out_redirect_uri:
+        redirect_uri_values.append(logged_out_redirect_uri)
+
     provider.redirect_uris = [
-        RedirectURI(RedirectURIMatchingMode.STRICT, required_env(spec["redirect_uri_env"]))
+        RedirectURI(RedirectURIMatchingMode.STRICT, redirect_uri)
+        for redirect_uri in dict.fromkeys(redirect_uri_values)
     ]
     provider.logout_uri = spec["logout_uri"]
     provider.logout_method = OAuth2LogoutMethod.FRONTCHANNEL