feat: revoke consent by session id. trigger back channel logout.

[aarmam]

This pull request introduces feature to revoke consent by session id and option to trigger back channel logout.

Use case:

1. User logs in from device/browser 1 to client application A. Hydra has created login session 1 (remember=true) and authenticated user.
2. User logs in from device/browser 1 to client application B by accepting consent.
3. User performs steps 1, 2 in device/browser 2. Hydra has created login session 2 for the same user.
4. User initiates log out from client application A using device/browser 1.
5. Logout provider displays UI page with message "You have been logged out from Application A. You have active sessions in following applications: Application B" and options 5.1) "Logout from all sessions", 5.2) "Resume active sessions"
6. User selects 5.2 "Resume active sessions"
   6.1 Logout provider performs PUT /oauth2/auth/requests/logout/reject so that user would remain logged in to Application B
   6.2 Logout provider performs DELETE /oauth2/auth/sessions/consent?subject=user1&client=applicationA&login_session_id=session1&trigger_backchannel_logout=true so that user would be logged out from application A (just in case application A did not terminate it's session locally before redirecting to Hydra logout endpoint)

Current situation: application A consent from session 1 and session 2 is revoked; backchannel logout is not triggered.

Proposed solution: application A consent only from session 1 is revoked; backchannel logout is triggered.

Triggering backchannel logout is a separate feature and can be used without login_session_id or with all=true parameter.

Related issue(s)

#2666

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

Tests and documentation will be commited after inital acceptance of the proposed feature.

[codecov]

Codecov Report

Merging #2844 (1bea1b7) into master (6e1f545) will increase coverage by 0.08%.
The diff coverage is 82.35%.

❗ Current head 1bea1b7 differs from pull request most recent head 1ea545b. Consider uploading reports for the commit 1ea545b to get more accurate results

@@            Coverage Diff             @@
##           master    #2844      +/-   ##
==========================================
+ Coverage   76.85%   76.93%   +0.08%     
==========================================
  Files         124      124              
  Lines        9164     9253      +89     
==========================================
+ Hits         7043     7119      +76     
- Misses       1672     1680       +8     
- Partials      449      454       +5     

Impacted Files	Coverage Δ
client/client.go	76.41% <ø> (ø)
consent/manager.go	100.00% <ø> (ø)
consent/handler.go	66.96% <53.84%> (+0.19%)	⬆️
consent/strategy_default.go	69.93% <84.00%> (+0.42%)	⬆️
persistence/sql/persister_consent.go	87.96% <95.65%> (+0.55%)	⬆️
consent/manager_test_helpers.go	97.93% <100.00%> (ø)

... and 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[web-kat]

@aeneasr aside from being out of date with master, is there anything holding this body of work back?