feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved

Currently ZITADEL supports RP-initiated logout for clients. Back-channel
logout ensures that user sessions are terminated across all connected
applications, even if the user closes their browser or loses
connectivity providing a more secure alternative for certain use cases.

# How the Problems Are Solved

If the feature is activated and the client used for the authentication
has a back_channel_logout_uri configured, a
`session_logout.back_channel` will be registered. Once a user terminates
their session, a (notification) handler will send a SET (form POST) to
the registered uri containing a logout_token (with the user's ID and
session ID).

- A new feature "back_channel_logout" is added on system and instance
level
- A `back_channel_logout_uri` can be managed on OIDC applications
- Added a `session_logout` aggregate to register and inform about sent
`back_channel` notifications
- Added a `SecurityEventToken` channel and `Form`message type in the
notification handlers
- Added `TriggeredAtOrigin` fields to `HumanSignedOut` and
`TerminateSession` events for notification handling
- Exported various functions and types in the `oidc` package to be able
to reuse for token signing in the back_channel notifier.
- To prevent that current existing session termination events will be
handled, a setup step is added to set the `current_states` for the
`projections.notifications_back_channel_logout` to the current position

- [x] requires https://github.com/zitadel/oidc/pull/671

# Additional Changes

- Updated all OTEL dependencies to v1.29.0, since OIDC already updated
some of them to that version.
- Single Session Termination feature is correctly checked (fixed feature
mapping)

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8467
- TODO:
  - Documentation
  - UI to be done: https://github.com/zitadel/zitadel/issues/8469

---------

Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>

internal/command/logout_session_model.go

@@ -0,0 +1,74 @@
+package command
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/sessionlogout"
+)
+
+type SessionLogoutWriteModel struct {
+	eventstore.WriteModel
+
+	UserID                string
+	OIDCSessionID         string
+	ClientID              string
+	BackChannelLogoutURI  string
+	BackChannelLogoutSent bool
+
+	aggregate *eventstore.Aggregate
+}
+
+func NewSessionLogoutWriteModel(id string, instanceID string, sessionID string) *SessionLogoutWriteModel {
+	return &SessionLogoutWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   id,
+			ResourceOwner: instanceID,
+			InstanceID:    instanceID,
+		},
+		aggregate:     &sessionlogout.NewAggregate(id, instanceID).Aggregate,
+		OIDCSessionID: sessionID,
+	}
+}
+
+func (wm *SessionLogoutWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *sessionlogout.BackChannelLogoutRegisteredEvent:
+			wm.reduceRegistered(e)
+		case *sessionlogout.BackChannelLogoutSentEvent:
+			wm.reduceSent(e)
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *SessionLogoutWriteModel) Query() *eventstore.SearchQueryBuilder {
+	query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		AddQuery().
+		AggregateTypes(sessionlogout.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(
+			sessionlogout.BackChannelLogoutRegisteredType,
+			sessionlogout.BackChannelLogoutSentType,
+		).
+		EventData(map[string]interface{}{
+			"oidc_session_id": wm.OIDCSessionID,
+		}).
+		Builder()
+	return query
+}
+
+func (wm *SessionLogoutWriteModel) reduceRegistered(e *sessionlogout.BackChannelLogoutRegisteredEvent) {
+	if wm.OIDCSessionID != e.OIDCSessionID {
+		return
+	}
+	wm.UserID = e.UserID
+	wm.ClientID = e.ClientID
+	wm.BackChannelLogoutURI = e.BackChannelLogoutURI
+}
+
+func (wm *SessionLogoutWriteModel) reduceSent(e *sessionlogout.BackChannelLogoutSentEvent) {
+	if wm.OIDCSessionID != e.OIDCSessionID {
+		return
+	}
+	wm.BackChannelLogoutSent = true
+}