feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved

Currently ZITADEL supports RP-initiated logout for clients. Back-channel
logout ensures that user sessions are terminated across all connected
applications, even if the user closes their browser or loses
connectivity providing a more secure alternative for certain use cases.

# How the Problems Are Solved

If the feature is activated and the client used for the authentication
has a back_channel_logout_uri configured, a
`session_logout.back_channel` will be registered. Once a user terminates
their session, a (notification) handler will send a SET (form POST) to
the registered uri containing a logout_token (with the user's ID and
session ID).

- A new feature "back_channel_logout" is added on system and instance
level
- A `back_channel_logout_uri` can be managed on OIDC applications
- Added a `session_logout` aggregate to register and inform about sent
`back_channel` notifications
- Added a `SecurityEventToken` channel and `Form`message type in the
notification handlers
- Added `TriggeredAtOrigin` fields to `HumanSignedOut` and
`TerminateSession` events for notification handling
- Exported various functions and types in the `oidc` package to be able
to reuse for token signing in the back_channel notifier.
- To prevent that current existing session termination events will be
handled, a setup step is added to set the `current_states` for the
`projections.notifications_back_channel_logout` to the current position

- [x] requires https://github.com/zitadel/oidc/pull/671

# Additional Changes

- Updated all OTEL dependencies to v1.29.0, since OIDC already updated
some of them to that version.
- Single Session Termination feature is correctly checked (fixed feature
mapping)

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8467
- TODO:
  - Documentation
  - UI to be done: https://github.com/zitadel/zitadel/issues/8469

---------

Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>

internal/notification/types/notification.go

@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/i18n"
 	"github.com/zitadel/zitadel/internal/notification/channels/email"
+	"github.com/zitadel/zitadel/internal/notification/channels/set"
 	"github.com/zitadel/zitadel/internal/notification/channels/sms"
 	"github.com/zitadel/zitadel/internal/notification/channels/webhook"
 	"github.com/zitadel/zitadel/internal/notification/senders"
@@ -26,6 +27,7 @@ type ChannelChains interface {
 	Email(context.Context) (*senders.Chain, *email.Config, error)
 	SMS(context.Context) (*senders.Chain, *sms.Config, error)
 	Webhook(context.Context, webhook.Config) (*senders.Chain, error)
+	SecurityTokenEvent(context.Context, set.Config) (*senders.Chain, error)
 }
 
 func SendEmail(
@@ -127,3 +129,21 @@ func SendJSON(
 		)
 	}
 }
+
+func SendSecurityTokenEvent(
+	ctx context.Context,
+	setConfig set.Config,
+	channels ChannelChains,
+	token any,
+	triggeringEvent eventstore.Event,
+) Notify {
+	return func(_ string, _ map[string]interface{}, _ string, _ bool) error {
+		return handleSecurityTokenEvent(
+			ctx,
+			setConfig,
+			channels,
+			token,
+			triggeringEvent,
+		)
+	}
+}

internal/notification/types/security_token_event.go

@@ -0,0 +1,27 @@
+package types
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/channels/set"
+	"github.com/zitadel/zitadel/internal/notification/messages"
+)
+
+func handleSecurityTokenEvent(
+	ctx context.Context,
+	setConfig set.Config,
+	channels ChannelChains,
+	token any,
+	triggeringEvent eventstore.Event,
+) error {
+	message := &messages.Form{
+		Serializable:    token,
+		TriggeringEvent: triggeringEvent,
+	}
+	setChannels, err := channels.SecurityTokenEvent(ctx, setConfig)
+	if err != nil {
+		return err
+	}
+	return setChannels.HandleMessage(message)
+}