feat(server): added backchannel logout api endpoint (#26235)

* feat(server): added backchannel logout api endpoint

* test(server): fixed e2e tests

* fix(server): fixed suggested changes by reviewer

* feat(server): created function invalidateOAuth

* fix(server): fixed session.repository.sql

* test(server): added unit tests for backchannelLogout function

* test(server): added e2e tests for oidc backchnnel logout

* docs(server): added documentation on backchannel logout url

* docs(server): fixed typo

* feat(server): minor improvements of the oidc backchannel logout

* test(server): fixed tests after merge with main

* fix(server): fixed e2e test file

* refactor(server): tiny refactor of validateLogoutToken

* chore: cleanup

* fix: tests

* fix: make jwks extractable

---------

Co-authored-by: Daniel Dietzler <mail@ddietzler.dev>

mobile/openapi/README.md

@@ -126,6 +126,7 @@ Class | Method | HTTP request | Description
 *AuthenticationApi* | [**lockAuthSession**](doc//AuthenticationApi.md#lockauthsession) | **POST** /auth/session/lock | Lock auth session
 *AuthenticationApi* | [**login**](doc//AuthenticationApi.md#login) | **POST** /auth/login | Login
 *AuthenticationApi* | [**logout**](doc//AuthenticationApi.md#logout) | **POST** /auth/logout | Logout
+*AuthenticationApi* | [**logoutOAuth**](doc//AuthenticationApi.md#logoutoauth) | **POST** /oauth/backchannel-logout | Backchannel OAuth logout
 *AuthenticationApi* | [**redirectOAuthToMobile**](doc//AuthenticationApi.md#redirectoauthtomobile) | **GET** /oauth/mobile-redirect | Redirect OAuth to mobile
 *AuthenticationApi* | [**resetPinCode**](doc//AuthenticationApi.md#resetpincode) | **DELETE** /auth/pin-code | Reset pin code
 *AuthenticationApi* | [**setupPinCode**](doc//AuthenticationApi.md#setuppincode) | **POST** /auth/pin-code | Setup pin code

mobile/openapi/lib/api/authentication_api.dart

@@ -424,6 +424,59 @@ class AuthenticationApi {
     return null;
   }
 
+  /// Backchannel OAuth logout
+  ///
+  /// Logout the OAuth account and invalidate the session specified by the sid claim or all sessions if the sid claim is not present.
+  ///
+  /// Note: This method returns the HTTP [Response].
+  ///
+  /// Parameters:
+  ///
+  /// * [String] logoutToken (required):
+  ///   OAuth logout token
+  Future<Response> logoutOAuthWithHttpInfo(String logoutToken,) async {
+    // ignore: prefer_const_declarations
+    final apiPath = r'/oauth/backchannel-logout';
+
+    // ignore: prefer_final_locals
+    Object? postBody;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>['application/x-www-form-urlencoded'];
+
+    if (logoutToken != null) {
+      formParams[r'logout_token'] = parameterToString(logoutToken);
+    }
+
+    return apiClient.invokeAPI(
+      apiPath,
+      'POST',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  /// Backchannel OAuth logout
+  ///
+  /// Logout the OAuth account and invalidate the session specified by the sid claim or all sessions if the sid claim is not present.
+  ///
+  /// Parameters:
+  ///
+  /// * [String] logoutToken (required):
+  ///   OAuth logout token
+  Future<void> logoutOAuth(String logoutToken,) async {
+    final response = await logoutOAuthWithHttpInfo(logoutToken,);
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+  }
+
   /// Redirect OAuth to mobile
   ///
   /// Requests to this URL are automatically forwarded to the mobile app, and is used in some cases for OAuth redirecting.