Support back-channel logouts from OIDC providers

[sandhose]

Description:

Right now, if a user logs out from his identity provider, they does not get logged out from their session in Synapse.
OIDC has two mechanism to achieve that:

• front-channel logouts, as defined here, which works by having the IdP display to the user an invisible iframe of the relying party ; hence the name "front-channel": the communication between the IdP and Synapse would happen in the user's browser
• back-channel logouts, as defined here, which works by sending a request from the IdP to the relying party ; hence the name "back-channel": the communication between the IdP and Synapse would happen from server to server

Since we can do server-to-server requests between the IdP and Synapse, we should probably implement back-channel logouts.

When a logout happens, Synapse would get a JWT sent to an endpoint (e.g. /_synapse/client/oidc/backchannel-logout) signed by the IdP (we already have the keys discovered because we verify ID tokens signatures) with either the user ID (sub) or the session ID (sid).
Ideally, we would logout using the session ID, else we would not be able to distinguish what session to log out. It also involves saving that session ID when the login happens.

Things to do to make that happen:

• the IdP indicates back-channel logout support via the backchannel_logout_supported metadata
• Synapse indicates support for back-channel logout by filling the appropriate fields in the IdP (Keycloak has a Backchannel Logout URL field)
• when logging in, we need to get the session ID from the ID token (should be the sid claim). We should probably attach the session ID to the device to avoid having to carry that whenever we refresh the token
• when a request goes to /_synapse/client/oidc/backchannel-logout, Synapse should:
  • decode the JWT
  • get the issuer (iss claim) to find out what provider sent the request
  • validate the JWT signature with the keys we have for that provider
  • check a few claims in the JWT:
    • aud (audience) must match the client_id used by Synapse
    • iat (issued at) must not be in the future, nor too far in the past
    • events must be { "http://schemas.openid.net/event/backchannel-logout": {} }
    • jti (JWT token ID) should be saved to prevent token replay. We might skip that for performance reasons
  • get the session ID from the sid claim
  • find the device associated to this session ID in DB, and logout that device

See PSE-127

[clokep]

See also #5762, #4158.