Add id_token_hint to the post logout redirect uri

[CSDUMMI]

The OneLogin IdP requires the id_token_hint field to be set to the previously issued access token in the end session uri to perform a logout and redirect the user to the post logout uri.[^1]

The Keycloak IdP requires the id_token_hint field to be set to avoid a confirmation dialog before redirecting them to the post logout uri.[^2]

This PR adds the id_token_hint to support this behavior by the IdPs. I'm open to only enabling this through an option that is disabled by default.

[^1]: See #140 and https://developers.onelogin.com/openid-connect/api/logout [^2]: See keycloak documentation: https://www.keycloak.org/docs/latest/securing_apps/#logout

[kitebuggy]

Great work, thank you.

[CSDUMMI]

The tests fail because access_token is now called by encoded_post_logout_redirect_uri and this function calls client.access_token! if no access token has previously been fetched.

The tests do not mock this function and thus a request to example.com is made - expecting an access token but receiving HTML.

I don't know enough about stubbing in Ruby to stub this particular behavior.

[CSDUMMI]

@stanhu can you review this PR or is there somebody else I can talk to?

[drjole]

Hello everyone! Will this PR be merged at some point? Thanks for your work.