FEATURE: Add logout functionality to SSO Provider protocol (#8816)

This commit adds support for an optional "logout" parameter in the
payload of the /session/sso_provider endpoint.  If an SSO Consumer
adds a "logout=true" parameter to the encoded/signed "sso" payload,
then Discourse will treat the request as a logout request instead
of an authentication request.  The logout flow works something like
this:

 * User requests logout at SSO-Consumer site (e.g., clicks "Log me out!"
   on web browser).
 * SSO-Consumer site does whatever it does to destroy User's session on
   the SSO-Consumer site.
 * SSO-Consumer then redirects browser to the Discourse sso_provider
   endpoint, with a signed request bearing "logout=true" in addition
   to the usual nonce and the "return_sso_url".
 * Discourse destroys User's discourse session and redirects browser back
   to the "return_sso_url".
 * SSO-Consumer site does whatever it does --- notably, it cannot request
   SSO credentials from Discourse without the User being prompted to login
   again.

app/controllers/session_controller.rb

@@ -54,6 +54,12 @@ class SessionController < ApplicationController
         return
       end
 
+      if sso.logout
+        params[:return_url] = sso.return_sso_url
+        destroy
+        return
+      end
+
       if current_user
         sso.name = current_user.name
         sso.username = current_user.username