fix: add optional exp claim to back-channel logout token

[ktsu2i]

The OpenID Connect Back-Channel Logout 1.0 specification requires the exp claim in logout tokens, but Hydra currently omits it.

This adds a new ttl.logout_token configuration option. When set (e.g. 2m), the exp claim is included in the logout token.

When unset or 0, the current behavior is preserved for backward compatibility.

Related issue(s)

#4035

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.com) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[ktsu2i]

Hi Hydra team ( @aeneasr ),

There's two CI failures, but I’d appreciate it if you could take a look at this PR when you get a chance.
I’d love to get your thoughts on whether the overall approach makes sense.

Thanks!

[Moses-main]

Hi team,

I'll add the optional exp claim to back-channel logout token. I have experience with:

• OAuth/OIDC
• Go
• Security tokens

My approach:

1. Understand the token structure
2. Add exp claim support
3. Test the implementation

Please assign!