Geo: Single Sign Out

Implements Single Sign Out for Geo (#76).

Initial proposal was to generate a hash based on the access_token, but that created a O(N) cost against a desirable O(1), as a new access_token is generated for each new login. To overcome that cost we would need to send a "public identifier" to help retrieve the correct access_token and provide that during login process.

This is also how most Single Sign On implementations works (they provide some sort of session_id, that we notify every node to invalidate, during sign out process).

As I don't want to modify our OAuth table (that is managed by doorkeeper) nor change the way our login process work, the solution is to encrypt the access_token using a symmetric key known by both nodes, and expire the access_token after the logout to prevent replay attacks (otherwise we would need to send a nounce and store that on primary).

The key is based on Gitlab::Application.secrets.db_key_base which we already use to encrypt database attributes and is synced between both nodes. We communicate sending a state parameter which is known terminology in OAuth protocol.

Although this is implemented with Geo only in mind, we can backport to CE (with minimal changes) and provide as a "non-standard" way of single sign off for applications that integrate with GitLab.

Fixes #522 (closed)