feat(jans-auth-server): add client_id parameter support to /end_session

[yuriyz]

Describe the issue

Add client_id parameter support to /end_session

Support: 11416
oxauth ticket GluuFederation/oxAuth#1862

Motivation

Corner case is when session is expired and grant object is expired (or revoked) and AS is not able to identify client.

Obviously if AS can't identify client (due to missed session and id_token_hint) it falls back to global validation via clientWhiteList and allowPostLogoutRedirectWithoutValidation=true.

If we want to avoid global clientWhiteList question is still the same, how AS should figure out client if session and id_token_hint is not there ?

One possible solution is to pass client_id explicitly, so AS will do following:

1. get client from session
2. if no session -> get client from id_token_hint
3. if grant object for id_token_hint is not there -> take client by client_id.
4. client_id parameter is just an idea, it's not supported however it can be implemented.

[nynymike]

Without the client_id, the problem is that we don't know where to redirect the browser after end_session?

[yuriyz]

@nynymike we know where to redirect because usually post_logout_redirect_uri parameter is send in request. But we can't redirect without validation (otherwise it's open redirector). We have clientWhiteList global configuration parameter which can be always used for validation. Complain is that it's not on client level. And we can't identify client if session and id_token_hint are expired. With explicit client_id we will be able to do it.

[nynymike]

Ok, let's go ahead with it. Although the client_id is not a secret, we're still enforcing re-registered redirect_uris.