feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved

Currently ZITADEL supports RP-initiated logout for clients. Back-channel
logout ensures that user sessions are terminated across all connected
applications, even if the user closes their browser or loses
connectivity providing a more secure alternative for certain use cases.

# How the Problems Are Solved

If the feature is activated and the client used for the authentication
has a back_channel_logout_uri configured, a
`session_logout.back_channel` will be registered. Once a user terminates
their session, a (notification) handler will send a SET (form POST) to
the registered uri containing a logout_token (with the user's ID and
session ID).

- A new feature "back_channel_logout" is added on system and instance
level
- A `back_channel_logout_uri` can be managed on OIDC applications
- Added a `session_logout` aggregate to register and inform about sent
`back_channel` notifications
- Added a `SecurityEventToken` channel and `Form`message type in the
notification handlers
- Added `TriggeredAtOrigin` fields to `HumanSignedOut` and
`TerminateSession` events for notification handling
- Exported various functions and types in the `oidc` package to be able
to reuse for token signing in the back_channel notifier.
- To prevent that current existing session termination events will be
handled, a setup step is added to set the `current_states` for the
`projections.notifications_back_channel_logout` to the current position

- [x] requires https://github.com/zitadel/oidc/pull/671

# Additional Changes

- Updated all OTEL dependencies to v1.29.0, since OIDC already updated
some of them to that version.
- Single Session Termination feature is correctly checked (fixed feature
mapping)

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8467
- TODO:
  - Documentation
  - UI to be done: https://github.com/zitadel/zitadel/issues/8469

---------

Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>

internal/command/project_application_oidc_test.go

@@ -175,6 +175,7 @@ func TestAddOIDCApp(t *testing.T) {
 						0,
 						[]string{"https://sub.test.ch"},
 						false,
+						"",
 					),
 				},
 			},
@@ -240,6 +241,7 @@ func TestAddOIDCApp(t *testing.T) {
 						0,
 						nil,
 						false,
+						"",
 					),
 				},
 			},
@@ -305,6 +307,7 @@ func TestAddOIDCApp(t *testing.T) {
 						0,
 						nil,
 						false,
+						"",
 					),
 				},
 			},
@@ -370,6 +373,7 @@ func TestAddOIDCApp(t *testing.T) {
 						0,
 						nil,
 						false,
+						"",
 					),
 				},
 			},
@@ -516,6 +520,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 							time.Second*1,
 							[]string{"https://sub.test.ch"},
 							true,
+							"https://test.ch/backchannel",
 						),
 					),
 				),
@@ -543,6 +548,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 					ClockSkew:                time.Second * 1,
 					AdditionalOrigins:        []string{" https://sub.test.ch "},
 					SkipNativeAppSuccessPage: true,
+					BackChannelLogoutURI:     " https://test.ch/backchannel ",
 				},
 				resourceOwner: "org1",
 			},
@@ -571,6 +577,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 					ClockSkew:                time.Second * 1,
 					AdditionalOrigins:        []string{"https://sub.test.ch"},
 					SkipNativeAppSuccessPage: true,
+					BackChannelLogoutURI:     "https://test.ch/backchannel",
 					State:                    domain.AppStateActive,
 					Compliance:               &domain.Compliance{},
 				},
@@ -614,6 +621,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 							time.Second*1,
 							[]string{"https://sub.test.ch"},
 							true,
+							"https://test.ch/backchannel",
 						),
 					),
 				),
@@ -641,6 +649,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 					ClockSkew:                time.Second * 1,
 					AdditionalOrigins:        []string{"https://sub.test.ch"},
 					SkipNativeAppSuccessPage: true,
+					BackChannelLogoutURI:     "https://test.ch/backchannel",
 				},
 				resourceOwner: "org1",
 			},
@@ -669,6 +678,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 					ClockSkew:                time.Second * 1,
 					AdditionalOrigins:        []string{"https://sub.test.ch"},
 					SkipNativeAppSuccessPage: true,
+					BackChannelLogoutURI:     "https://test.ch/backchannel",
 					State:                    domain.AppStateActive,
 					Compliance:               &domain.Compliance{},
 				},
@@ -847,6 +857,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 								time.Second*1,
 								[]string{"https://sub.test.ch"},
 								true,
+								"https://test.ch/backchannel",
 							),
 						),
 					),
@@ -875,6 +886,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 					ClockSkew:                time.Second * 1,
 					AdditionalOrigins:        []string{"https://sub.test.ch"},
 					SkipNativeAppSuccessPage: true,
+					BackChannelLogoutURI:     "https://test.ch/backchannel",
 				},
 				resourceOwner: "org1",
 			},
@@ -916,6 +928,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 								time.Second*1,
 								[]string{"https://sub.test.ch"},
 								true,
+								"https://test.ch/backchannel",
 							),
 						),
 					),
@@ -944,6 +957,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 					ClockSkew:                time.Second * 1,
 					AdditionalOrigins:        []string{" https://sub.test.ch "},
 					SkipNativeAppSuccessPage: true,
+					BackChannelLogoutURI:     " https://test.ch/backchannel ",
 				},
 				resourceOwner: "org1",
 			},
@@ -985,6 +999,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 								time.Second*1,
 								[]string{"https://sub.test.ch"},
 								true,
+								"https://test.ch/backchannel",
 							),
 						),
 					),
@@ -1019,6 +1034,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 					ClockSkew:                time.Second * 2,
 					AdditionalOrigins:        []string{"https://sub.test.ch"},
 					SkipNativeAppSuccessPage: true,
+					BackChannelLogoutURI:     "https://test.ch/backchannel",
 				},
 				resourceOwner: "org1",
 			},
@@ -1046,6 +1062,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 					ClockSkew:                time.Second * 2,
 					AdditionalOrigins:        []string{"https://sub.test.ch"},
 					SkipNativeAppSuccessPage: true,
+					BackChannelLogoutURI:     "https://test.ch/backchannel",
 					Compliance:               &domain.Compliance{},
 					State:                    domain.AppStateActive,
 				},
@@ -1170,6 +1187,7 @@ func TestCommandSide_ChangeOIDCApplicationSecret(t *testing.T) {
 								time.Second*1,
 								[]string{"https://sub.test.ch"},
 								false,
+								"",
 							),
 						),
 					),
@@ -1213,6 +1231,7 @@ func TestCommandSide_ChangeOIDCApplicationSecret(t *testing.T) {
 					ClockSkew:                time.Second * 1,
 					AdditionalOrigins:        []string{"https://sub.test.ch"},
 					SkipNativeAppSuccessPage: false,
+					BackChannelLogoutURI:     "",
 					State:                    domain.AppStateActive,
 				},
 			},
@@ -1327,6 +1346,7 @@ func TestCommands_VerifyOIDCClientSecret(t *testing.T) {
 							time.Second*1,
 							[]string{"https://sub.test.ch"},
 							false,
+							"",
 						),
 					),
 				),
@@ -1362,6 +1382,7 @@ func TestCommands_VerifyOIDCClientSecret(t *testing.T) {
 							time.Second*1,
 							[]string{"https://sub.test.ch"},
 							false,
+							"",
 						),
 					),
 				),
@@ -1396,6 +1417,7 @@ func TestCommands_VerifyOIDCClientSecret(t *testing.T) {
 							time.Second*1,
 							[]string{"https://sub.test.ch"},
 							false,
+							"",
 						),
 					),
 				),