A companion service that adds OIDC backchannel logout handling in front of oauth2-proxy

oauth2-proxy has no OIDC backchannel logout endpoint. When an IdP (Keycloak, Authentik, Okta, Azure AD) triggers a global sign-out and POSTs a logout token to registered clients, oauth2-proxy has nowhere to receive it. Sessions in other browsers or tabs stay alive until they expire naturally, breaking the security guarantee that SSO sign-out provides. This companion service sits in front of oauth2-proxy, exposes the OIDC backchannel logout endpoint, validates incoming logout tokens (JWT, sub/sid claims, nonce-less, event claim), and evicts the matching session from the shared Redis session store that oauth2-proxy already uses. No changes to oauth2-proxy are required. It registers itself with the IdP as the backchannel logout URI, listens for POSTs, and purges the Redis key whose prefix and structure match oauth2-proxy's session key format. The result is cross-browser, cross-device, near-instant session invalidation on SSO sign-out, which is the behavior engineers expect but oauth2-proxy has not shipped in four-plus years of open issues.