Align with backchannel logout OIDC spec

[Spitfireap]

fixes #1430

Current behaviour

Backchannel logout yields a HTTP/400 error when the session is not retrieved.
The spec states that it should be considered as a success and thus should return HTTP/200 :

If the identified End-User is already logged out at the RP when the logout request is received, the logout is considered to have succeeded.

Furthermore the response seems to be missing the Cache-Control header (spec).

The BC logout validation is also missing exp token validation (not expired) and iss validation (equals to issuer in discovery endpoint) per Backchannel logout token validation spec and ID Token validation spec

Changes

• Yield a success (HTTP/200) when the session is not found instead of an error (HTTP/400)
• Removed an unused variable from getBackchannelLogoutErrorResponse ($throttleMetadata)
• Increased the severity of the logging when a Backchannel logout fails
• Added the Cache-Control header in the backchannel logout response
• Added a verification for the exp and iss claim

[Spitfireap]

@julien-nc not entirely sure about the change for the error logging.
I think the severity should be increased since it might be a security issue. The thing is : could these be triggered by a random idp and in that case we should perhaps be cautious about using error or it requires the idp to be verified so error would be well suited ?

[julien-nc]

Nice, thanks. Let's get #1431 in first, then you can rebase and adjust this one.

[Spitfireap]

Added some more alignment with the spec (exp + 1 iss validation step).

Was wondering if we should verify that jti and iat claims are there as well (since they are required) or am I overdoing it ?