Merge branch 'synapse-backchannel-logouts' into 'master'

matrix: Enable backchannel logouts from keycloak to synapse

See merge request archlinux/infrastructure!653

roles/matrix/templates/homeserver.yaml.j2

@@ -148,6 +148,7 @@ oidc_providers:
     client_secret: "{{ vault_matrix_openid_client_secret }}"
     scopes: ["openid", "profile", "email", "roles"]
     allow_existing_users: false
+    backchannel_logout_enabled: true
     user_mapping_provider:
       config:
         localpart_template: "{{ '{{ user.preferred_username }}' }}"

tf-stage2/keycloak.tf

@@ -839,6 +839,9 @@ resource "keycloak_openid_client" "matrix_openid_client" {
   valid_redirect_uris = [
     "https://matrix.archlinux.org/_synapse/client/oidc/callback"
   ]
+
+  backchannel_logout_url              = "https://matrix.archlinux.org/_synapse/client/oidc/backchannel_logout"
+  backchannel_logout_session_required = true
 }
 
 resource "keycloak_openid_user_realm_role_protocol_mapper" "matrix_user_realm_role_mapper" {