Extend IIdentityProvider with Logout and CreateForbiddenResponse

[Copilot]

Authenticated users who lack required permissions currently fall through to the login prompt or get no meaningful response. The identity system needs a dedicated forbidden-page mechanism and provider-level logout support.

Interface changes

• IIdentityProvider.Logout(IRequest) — lets providers clear their own auth state (cookies, tokens, etc.) during logout
• IIdentityProvider.CreateForbiddenResponse(IRequest, IEndpointContext, IIdentity) — returns a provider-specific forbidden page for authenticated-but-unauthorized users
• IIdentityManager.CreateForbiddenResponse — same signature, delegates to registered providers

IdentityManager

• CreateForbiddenResponse follows the existing first-provider-wins delegation pattern used by CreateAuthenticationPrompt
• Logout now notifies all registered providers before clearing the session property

HttpServer authorization flow

The request pipeline now distinguishes between unauthenticated and unauthorized:

if (!_componentHub.IdentityManager.CheckAccess(identity, searchResult.EndpointContext))
{
    // authenticated but lacks permissions → forbidden page
    if (identity is not null)
    {
        var forbiddenResponse = _componentHub.IdentityManager.CreateForbiddenResponse(
            httpContext.Request, searchResult.EndpointContext, identity);
        if (forbiddenResponse is not null) { /* send and return */ }
    }

    // not authenticated → login prompt (existing behavior)
    var loginResponse = _componentHub.IdentityManager.CreateAuthenticationPrompt(...);
    if (loginResponse is not null) { /* send and return */ }
}

Test

• MockIdentityProvider updated with no-op implementations of both new methods
• All 936 existing tests pass